Re: TLSv12 Client Certificate Selection Behavior !!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
    > Yes, v1 certs would get a free ride.  The reason to enforce KU
    > in client certs would be that client certs are not infrequently
    > (though not always) optional, and it can be better to not send
    > any client cert, than to send one the server will reject.

802.1AR seems to discourage KU in IDevID because at most KU bits make
the certificate less useable, and IDevID certificates are expected to live
for decades.

    > RSA client certs without digital signature in KU are increasingly
    > not interoperable as more server implementations are checking the
    > keyUsage these days.  So at some point it makes sense to consider
    > not offering such (client) certs to the peer server.

I would like knobs for this.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@xxxxxxxxxxxx  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux