Defining header for stapled certificate extensions
Nikos Mavrogiannopoulos
nmav at redhat.com
Wed Sep 10 00:47:34 PDT 2014
On Tue, 2014-09-09 at 14:12 +0200, Stef Walter wrote:
> 3.4 snippet
> * Callers which are validating certificate chains should retrieve all
> stapled extensions for each certificate in the chain and use those
> stapled extensions as if they had been present in the respective
> certificate. If a stapled extension has the same extnID value as one
> present in the certificate, the stapled certificate extension should be
> used instead.
>
> Obviously not all callers may be willing to change their entire
> implementation around to do this, and might choose an approach which
> ends up at the same result.
I think API-wise this approach is very cumbersome. After searching the
PKCS #11 module for an issuer certificate, an implementation must start
searching for the overridden extensions, and replace them in the
certificate.
Why not simplify, and provide a search option for an anchor certificate
that has already its overridden extensions replaced?
regards,
Nikos
More information about the p11-glue
mailing list