Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
> Yes, v1 certs would get a free ride. The reason to enforce KU
> in client certs would be that client certs are not infrequently
> (though not always) optional, and it can be better to not send
> any client cert, than to send one the server will reject.
802.1AR seems to discourage KU in IDevID because at most KU bits make
the certificate less useable, and IDevID certificates are expected to live
for decades.
> RSA client certs without digital signature in KU are increasingly
> not interoperable as more server implementations are checking the
> keyUsage these days. So at some point it makes sense to consider
> not offering such (client) certs to the peer server.
I would like knobs for this.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature
