Hi all,
I've taken the liberty of addressing the changes to the delegated credentials extension that were requested at IETF: https://github.com/tlswg/tls-subcerts/pull/13 The changes that would be adopted in draft-02 are as follows: * Drop support for TLS 1.2. * Allow the critical bit of the X.509 extension to be set. * Add the protocol version and credential signature algorithm to the Credential structure. * Make the KeyUsage of the delegation certificate stricter. * Specify undefined behavior in a few cases. It was suggested that we add optional "must-use-DC" semantics to the certificate. The solution we came up with was to add a "strict" flag to the extension that is set if (and only if) the extension is marked critical. The idea is that if the "strict" flag is set and the server doesn't offer a DC, then client must abort the handshake, In my opinion, the complexity this adds to the protocol outweighs the potential benefits. Comments on the PR are welcome. Thanks, Chris Patton
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
