On Mar 19, 2008, at 6:56 PM, Cullen Jennings wrote: > > And certs has the text > > I-D.sip-eku [9] describes the method to validate any Extended Key > Usage values found in the certificate for a SIP domain. > Implementations MUST perform the checks prescribed by that > specification. > > which seems to me like it could be changed to > > I-D.sip-eku [9] describes the method to validate any Extended Key > Usage values found in the certificate for a SIP domain. >
So the above text means to me "If you receive a certificate for a SIP domain that contains any Extended Key Usage values, you MUST validate them according to the procedures of I-D-sip-eku [9]." Inserting EKU in a cert would seem to be optional. This is good, since getting EKU into a cert appears to be very hard. If you receive a cert that contains EKU, it appears that validating it is mandatory (at least according to the current text). It could be that I (or the text) have this wrong, and EKU may safely be ignored. However, even if validation of the EKU is optional, the only process we have for validating it is the process defined in [9], so that still seems like a normative reference rather than an informative reference to me, even though it's only a 2119 SHOULD or MAY level of requirement. -- Dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
