RFC7030 defines the CSR attributes. It says: "In addition, a CA may desire to certify a certain type of public key and a client may not have a priori knowledge of that fact. "
and: If the CA requires a particular crypto system or use of a particular signature scheme (e.g., certification of a public key based on a certain elliptic curve, or signing using a certain hash algorithm) it MUST provide that information in the CSR Attribute Response. I think that this means, if a CA wants RSA, then it should include the attribute sha256WithRSAEncryption ( 1 2 840 113549 1 1 11 ). It feels odd, because that's not an DN attribute. I am asking this because my ACP implementation has to deal with RSA certificates until everything is ECDSA happy. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
