Defining header for stapled certificate extensions

Daniel Kahn Gillmor dkg at
Tue Sep 9 07:49:59 PDT 2014

On 09/09/2014 06:56 AM, Stef Walter wrote:
> I'm working on defining an installed p11-kit header for stapled
> certificate extensions:

just a note about terminology:

you may not want to use the term "stapled" in this context, since it
collides with a much more common use of the term "stapled" w.r.t. X.509
certificates, which is "OCSP stapling" and the associated "must staple"
X.509 extension.

I could imagine deciding that a given certificate should only be
considered valid in a context with a stapled OCSP response.  To
implement that in the framework you've proposed would result an a
stapled "must staple" extension.  confusing!

if the term "stapled" isn't yet baked in, would you consider other
terms, like "associated extensions" or "extra extensions"?

the concepts are already complex as it is; if we want software
developers to understand the tools we're offering them, we should try to
avoid any unnecessary confusion where possible.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the p11-glue mailing list