A couple of questions on the format and handling of certificate_extensions.
What format is the data that appears in certificate_extension_values? I'd say that it should be in the same format as the content octets of the extnValue field of Extension (from RFC5280 et al). So (for example) it would be a BIT STRING for Key Usage and a SEQUENCE OF OBJECT IDENTIFIER for Extended Key Usage. As regards the matching rules. How do these apply when a particular extension is absent from the certificate? For example an absent Key Usage is often taken to mean no Key Usage restrictions apply. If Key Usage is present in certificate_extensions does it *require* that the Key Usage extension is explicitly present in the certificate? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shen...@drh-consultancy.co.uk, PGP key: via homepage. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls