Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Fri, 26 Jul 2002, David L. Wasley wrote:

> I suppose ...
>
> At 8:47 AM -0700 7/26/02, RL 'Bob' Morgan wrote:
> >but 3280 says:
> >
> >    This extension MAY, at the option of the certificate issuer, be
> >    either critical or non-critical.
> >
> >    If the extension is present, then the certificate MUST only be used
> >    for one of the purposes indicated.
> >
> >This is really appallingly underspecified.
>
> means that if it is marked non-critical the relying party can ignore it.

No, it doesn't.  A RP can only ignore a non-critical extension if it
doesn't "understand" it.  Not "understanding" an extension specified in
the standard document would be non-compliant, at least in spirit, seems to
me.  So if it's there, you have to reject the cert if the use doesn't
conform to the indicated key usage purpose.  Since the description of that
purpose is:

   -- TLS WWW server authentication

this means that use of these certs for SSL 3.0 would also have to be
rejected, since that's not TLS.  Of course, what "WWW" means isn't
particularly clear:  is that just http(s)?

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--