Rob, I'm not sure what your proposed resolution for this issue means.
Phases like "a suitably name-constrained intermediate cert" and "clients may need to used trial and error" are not really appropriate for a standard. I'll await publication of the next rev of 6962-bis to see if there is an algorithmic description of how the matching is to be performed. Steve
#23: How can TLS clients match an SCT to a certificate? Changes (by [email protected]): * milestone: => review Comment: Fixed by https://github.com/google/certificate-transparency- rfcs/commit/d71d7707a3eeb5707cf5048c3849b068e477038c The !ItemExtension field is gone. When there's a suitably name- constrained intermediate in the certificate chain, TLS clients may need to use trial and error to determine which of the certificates in the chain an SCT or inclusion proof corresponds to.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
