[16903] in cryptography@c2.net mail archive
critical bits in certs
daemon@ATHENA.MIT.EDU (Ian G)
Wed Feb 16 08:12:54 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 14 Feb 2005 15:02:04 +0000
From: Ian G <iang@systemics.com>
To: "\"List@metzdowd.com\"@metzdowd.com:Cryptography" <cryptography@metzdowd.com>
Has anyone got any experience or tips on critical
bits in certificates? These are bits that can be
set in optional records that a certificate creator
puts in there to do a particular job. The critical
bit says "don't interpret this entire certificate
if you don't understand this record."
x.509 certs have them, they are mentioned in RFCs
http://www.faqs.org/rfcs/rfc3039.html
http://www.faqs.org/rfcs/rfc2459.html
Also, OpenPGP may have them (I recall arguing against
them a while back, never checked where it all ended).
The reason I ask is that a CA has started issuing
certs with an optional critical section. It has a
good reason to do this ... but the results aren't
pretty, and the CA is now asking browser manufacturers
to accept its certs and/or "comply" with the crit.
Many issues are swirling around, so it seems useful
to ask around.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
