SC-XXX: Set presence of id-ad-caIssuers and AIA extension to MAY for Subscriber Certificates.#665
Open
e3n0 wants to merge 4 commits intocabforum:mainfrom
Open
SC-XXX: Set presence of id-ad-caIssuers and AIA extension to MAY for Subscriber Certificates.#665e3n0 wants to merge 4 commits intocabforum:mainfrom
e3n0 wants to merge 4 commits intocabforum:mainfrom
Conversation
e3n0
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Since clients can build chains using either AKID/SKID matching or Issuer/Subject matching, and TLS servers typically serve a chain sufficient for verifying the Subscriber Certificate,
id-ad-caIssuersis unnecessary for typical TLS cert use cases.This ballot proposes marking
id-ad-caIssuersMAY instead of SHOULD for Subscriber Certificates in 7.1.2.7.7 and, sinceid-ad-ocspis also MAY in the BRs, proposes marking the AIA extension MAY instead of MUST for Subscriber Certificates.