Nick Sullivan <nicholas.sulli...@gmail.com> wrote:
> PR: https://github.com/tlswg/tls13-spec/pull/654
>
> This change adds a set of extensions to the Certificate message. With this
> change, the Certificate message can now hold all extension messages that
> are certificate-specific (rather than connection-specific). This change
> also resolves the anomaly of OCSP messages appearing before certificates in
> the handshake.
>
There are two ways that such a thing could be done. How your proposal
suggests:
opaque ASN1Cert<1..2^24-1>;
struct {
opaque certificate_request_context<0..2^8-1>;
ASN1Cert certificate_list<0..2^24-1>;
Extension extensions<0..2^16-1>;
} Certificate;
or:
opaque ASN1CertData<1..2^24-1>;
struct {
ASN1CertData cert_data;
Extension extensions<0..2^16-1>;
}
struct {
opaque certificate_request_context<0..2^8-1>;
ASN1Cert certificate_list<0..2^24-1>;
} Certificate;
I think you are right that the SCT and the OCSP response are
per-certificate. In particular, they are not per-certificate-chain, so to
me the latter form, where each certificate in the chain gets its own
extension list, makes more sense to me. Would you consider changing the
proposal to the second form?
Cheers,
Brian
--
https://briansmith.org/
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
