Jeffrey Walton <[email protected]> wrote: > On Sun, May 15, 2016 at 5:19 PM, Jesse Wilson <[email protected]> wrote: > > Thanks Brian! I’m happy to hear that this is an implementation bug (that > I > > can petition to get fixed), rather than spec bug (that we all have to > > workaround). > > It depends on the issuing policies. > > The IETF has no way to specify that a certificate was created or > issued under PKIX, so its a moot point. (It creates a vaccum like the > EV mess, except for standard certificates rather than EV > certificates). >
HPKP is specified in terms of RFC 5280, so we can assume only PKIX certificates are used for HPKP. In particular, HPKP (RFC7469) defers to RFC5280 for the specification of SPKI. RFC 5280 then defers to other specs for defining SPKI: "Conforming implementations that use the algorithms identified in [RFC3279 <http://tools.ietf.org/html/rfc3279>], [RFC4055 <http://tools.ietf.org/html/rfc4055>], and [RFC4491 <http://tools.ietf.org/html/rfc4491>] MUST identify and encode the public key materials and digital signatures as described in those specifications." RFC 5480 updates RFC 3279. So, yes, a CA can issue a certificate that's not RFC 5480 but nobody should expect HPKP to work with such certificates. Cheers, Brian -- https://briansmith.org/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
