Santosh,
Steve,
I read 6962-bis saying submission of certificate chain.
Why not add path validation to the list of rules you defined below.
That would be good given the wide variance in how browsers process
chains. This gives us another opportunity at log level to have
correct logic for path validation.
I believe 6962-bit already requires a log operator to validate the cert
chain to
one of the roots from which it accepts SCT requests, based on text in
Section 3.1.
But I can add a specific reminder of the need to do that.
Note that if one follows CABF, unlike RFC 5280 and X.509, EKU is
processed somewhat akin to certificate policy (less policy mapping).
Can you point to the CABF text that makes this clear? Also, I'd be
thankful if you can
provide suggested changes to my text to highlight this.
On a side note, I fail to see CABF requirement with respect to
interaction between name constraints and EKU.
I read Section**9.7 of the DV (1.1.9) spec as implying a linkage between
the two, but
the wording is somewhat confusing to me.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
