Charles wrote: >The critical bit is there to provide upward compatibility for >certificates, which are a standard that is implemented in everything >from z/OS to Nest Thermostats to Balckberrys that have not been >updated in ten years.
>The critical bit says "this extension really matters. If you don't >know what this extension is all about, if you don't recognize it, if >it is a newer standard than your implementation, then you must reject >this certificate." >So it seems to me to be really fussy pedantry for a TLS implementation >(yes, GSK) to say "I recognize that extension, but you were SUPPOSED >to set the critical bit, so nanner, nanner, I am rejecting it." OK, I agree, but I still don't know whether that makes it a bug or what. Alan's comment: >While I wouldn't be surprised to find certificate validation fixes in >the same release that has TLS 1.3 (it tightened up various security >aspects), I would be surprised to find those fixes not applying to >older protocols. ...also seems trenchant: even if it IS considered correct behavior, why just for TLSv1.3? Hoping someone from gsk-land in IBM can chime in here. I don't have the ability to open a PMR these days. ...phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
