From: Oleg Pekar <[email protected]> Date: Saturday, January 28, 2023 at 10:03 AM To: Carl Wallace <[email protected]> Cc: Ilari Liusvaara <[email protected]>, <[email protected]> Subject: Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain Great, I will prepare the initial draft then. Are there any informal documents where WebPKI rules are captured? >a new flag for the path validation algorithm that signifies WebPKI EKU >processing is in effect Do you mean a flag that one party presents to the other party as an indication that it expects from the other party the following: all other party's CA certificates in the chain must have the relevant EKU purpose? [CW] No. I meant a flag like the inputs in section 6.1.1 of RFC5280. The flag would instruct a path validation implementation when the WebPKI EKU processing rules are to be used. The flag would not manifest itself on the wire. I’d define the flag as defaulting to false (for backwards compatibility) while recognizing that implementations can hardcode the flag to true as desired. This would more or less match the status quo but give a stable reference for the practice.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
