Defining header for stapled certificate extensions

Stef Walter stef at
Wed Sep 10 00:53:18 PDT 2014

On 10.09.2014 09:47, Nikos Mavrogiannopoulos wrote:
> On Tue, 2014-09-09 at 14:12 +0200, Stef Walter wrote:
>> 3.4 snippet
>>  * Callers which are validating certificate chains should retrieve all
>> stapled extensions for each certificate in the chain and use those
>> stapled extensions as if they had been present in the respective
>> certificate. If a stapled extension has the same extnID value as one
>> present in the certificate, the stapled certificate extension should be
>> used instead.
>> Obviously not all callers may be willing to change their entire
>> implementation around to do this, and might choose an approach which
>> ends up at the same result.
> I think API-wise this approach is very cumbersome. After searching the
> PKCS #11 module for an issuer certificate, an implementation must start
> searching for the overridden extensions, and replace them in the
> certificate.
> Why not simplify, and provide a search option for an anchor certificate
> that has already its overridden extensions replaced?

Because such a certificate would be invalid.

The whole point of attaching certificate extensions outside the
certificate is exactly because they cannot be replaced in the
certificate itself due to the signature.




stef at

More information about the p11-glue mailing list