- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 12 Jul 2018 15:53:02 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Cc: Martin Thomson <martin.thomson@gmail.com>
Received on Thursday, 12 July 2018 14:53:36 UTC
(For some reason the other thread made me wonder about this...) This may be handled already and even if not is probably not a real-world problem, but do we know what happens if the subjects/SANs from primary and 2ndary certs combined result in there sorta being no valid names due to excludedSubtrees in one nixing the names from the other? I expect it'd be ok to say "ditch any 2ndary certs that have excludedSubtrees" if any change is needed. There are probably other workable answers too, but saying nothing could easily lead to weirdness and maybe attacks if different libraries behave differently. I wonder if there are any other PKIX oddities that also ought be noted? Might be worth a check of this draft vs. 5280 with that in mind, as I don't recall PKIX (despite it's longevity;-) considering the semantics of sets of certs, which is what's in play here I guess. Cheers, S.
Received on Thursday, 12 July 2018 14:53:36 UTC