Defining header for stapled certificate extensions

Nikos Mavrogiannopoulos nmav at
Wed Sep 10 00:47:34 PDT 2014

On Tue, 2014-09-09 at 14:12 +0200, Stef Walter wrote:
> 3.4 snippet
>  * Callers which are validating certificate chains should retrieve all
> stapled extensions for each certificate in the chain and use those
> stapled extensions as if they had been present in the respective
> certificate. If a stapled extension has the same extnID value as one
> present in the certificate, the stapled certificate extension should be
> used instead.
> Obviously not all callers may be willing to change their entire
> implementation around to do this, and might choose an approach which
> ends up at the same result.

I think API-wise this approach is very cumbersome. After searching the
PKCS #11 module for an issuer certificate, an implementation must start
searching for the overridden extensions, and replace them in the

Why not simplify, and provide a search option for an anchor certificate
that has already its overridden extensions replaced?


More information about the p11-glue mailing list