On Thu, Jul 7, 2016 at 7:29 PM Watson Ladd <watsonbl...@gmail.com> wrote:
> I don't think we can use name constraints here. Yes, they are opt-in > and clients can indicate support, but it may well be that a TLS > implementation doesn't know if its X509 validation code will support > them as it hands the certificate to a system provided validator. (I > believe there was a longstanding Chrome on Windows XP bug for a > similar reason). > What are you referring to? I think one would know well enough whether our validators support a given feature. If there's weird cases, one can always decline to advertise if unsure. If you're thinking ECDSA and Chrome/XP, I believe it only got reflected in the cipher list and not sigalgs, but that's just because we never routed that bit through, not because we didn't know if we could do ECDSA. (And by now it's irrelevant since Chrome/XP is no longer supported.) David > Sincerely, > Watson > > > > > In the next rev, we'll update the draft to make these points more > clearly. > > > > -Ekr > > > > > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls