Hi Ilari, I don't have this implemented yet, but yes, tag/length should be included. Same as in the actual cert.
Cheers, Andrei -----Original Message----- From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] Sent: Wednesday, April 26, 2017 10:04 AM To: Andrei Popov <andrei.po...@microsoft.com> Cc: David Benjamin <david...@chromium.org>; tls@ietf.org Subject: Re: [TLS] CertficateRequest extension encoding On Mon, Sep 05, 2016 at 09:46:51PM +0000, Andrei Popov wrote: > > Do we need to make it this flexible? The idea was to avoid adding > complexity to the certificate filtering code in the TLS stack, and > instead filter by OIDs in the PKI library. PKI libraries already > inspect and match OID values, so this should be a relatively small > change for them. Haven't found an answer to this yet... How are the OIDs encoded exactly? Does the value of 'certificate_extension_oid' include redundant OBJECT IDENTIFIER tag and length, or not? That is, is id-pe-nsa [1.3.6.1.5.5.7.1.23] (just to pick an example) in certificate_extension_oid field encoded as: 1) 2B 06 01 05 05 07 01 17 (no tag/length) 2) 06 08 2B 06 01 05 05 07 01 17 (tag/length included). ? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
