critical bits in certs
Ian G
iang at systemics.com
Mon Feb 14 10:02:04 EST 2005
Has anyone got any experience or tips on critical
bits in certificates? These are bits that can be
set in optional records that a certificate creator
puts in there to do a particular job. The critical
bit says "don't interpret this entire certificate
if you don't understand this record."
x.509 certs have them, they are mentioned in RFCs
http://www.faqs.org/rfcs/rfc3039.html
http://www.faqs.org/rfcs/rfc2459.html
Also, OpenPGP may have them (I recall arguing against
them a while back, never checked where it all ended).
The reason I ask is that a CA has started issuing
certs with an optional critical section. It has a
good reason to do this ... but the results aren't
pretty, and the CA is now asking browser manufacturers
to accept its certs and/or "comply" with the crit.
Many issues are swirling around, so it seems useful
to ask around.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list