Ø And how is the value encoded? Using the same encoding as extnValue payload of respective extension in X.509 certifcates?
The same encoding as the respective extension in X.509 certificates (please feel free to suggest the language to make this clearer). Ø A CertificateExtension is a hint to the client about what kind of certificates are acceptable. We have a registry of u16s for them. Clients ignore extensions they don't understand, so it is ultimately on the server to check the certificate is acceptable (as it always is). If we wish to filter on OIDs, we define, e.g., a key_usage value whose contents have some KeyUsage-specific meaning. Do we need to make it this flexible? The idea was to avoid adding complexity to the certificate filtering code in the TLS stack, and instead filter by OIDs in the PKI library. PKI libraries already inspect and match OID values, so this should be a relatively small change for them. Cheers, Andrei
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls