On Tue, 2014-09-09 at 14:12 +0200, Stef Walter wrote: > 3.4 snippet > * Callers which are validating certificate chains should retrieve all > stapled extensions for each certificate in the chain and use those > stapled extensions as if they had been present in the respective > certificate. If a stapled extension has the same extnID value as one > present in the certificate, the stapled certificate extension should be > used instead. > > Obviously not all callers may be willing to change their entire > implementation around to do this, and might choose an approach which > ends up at the same result.
I think API-wise this approach is very cumbersome. After searching the PKCS #11 module for an issuer certificate, an implementation must start searching for the overridden extensions, and replace them in the certificate. Why not simplify, and provide a search option for an anchor certificate that has already its overridden extensions replaced? regards, Nikos _______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/p11-glue
