Off-list, Rob correctly pointed out that there are two PKCS#10-related issues that are not describedt; both arise from requirements for BGPsec certificate extensions:
1) SIA extension is forbidden in BGPsec certificates. 2) EKU extension is required in BGPsec certificates with a particular value. Now we have a couple of options: a) say nothing and rely on the CA doing the right thing b) prohibit/require SIA/EKU (respectively) be present in the PKCS#10 c) For: * SIA - allow SIA in the PKCS #10 and rely on the CA to discards it and issue a properly formed certificate. * EKU - allow EKU but not require EKU in the PKCS #10; if present, the EKU must have the correct OID. I’m partial to option c because it seems like the pragmatic approach. Thoughts? spt _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
