diff options
| author | Damien Miller <djm@mindrot.org> | 2012-04-22 11:08:30 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-04-22 11:08:30 +1000 |
| commit | 48348fc3b4455df8112d4e1b6de5b4f0779be875 (patch) | |
| tree | a8b918019d6ee2ddc0e1028213ae92f44dff6351 /PROTOCOL.certkeys | |
| parent | 29cd1888873d453f28609d8b301062cbaa4ab4d8 (diff) | |
- djm@cvs.openbsd.org 2012/03/28 07:23:22
[PROTOCOL.certkeys]
explain certificate extensions/crit split rationale. Mention requirement
that each appear at most once per cert.
Diffstat (limited to 'PROTOCOL.certkeys')
| -rw-r--r-- | PROTOCOL.certkeys | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 2f9764981..c98591093 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys | |||
| @@ -162,6 +162,13 @@ extensions is a set of zero or more optional extensions. These extensions | |||
| 162 | are not critical, and an implementation that encounters one that it does | 162 | are not critical, and an implementation that encounters one that it does |
| 163 | not recognise may safely ignore it. | 163 | not recognise may safely ignore it. |
| 164 | 164 | ||
| 165 | Generally, critical options are used to control features that restrict | ||
| 166 | access where extensions are used to enable features that grant access. | ||
| 167 | This ensures that certificates containing unknown restrictions do not | ||
| 168 | inadvertently grant access while allowing new protocol features to be | ||
| 169 | enabled via extensions without breaking certificates' backwards | ||
| 170 | compatibility. | ||
| 171 | |||
| 165 | The reserved field is currently unused and is ignored in this version of | 172 | The reserved field is currently unused and is ignored in this version of |
| 166 | the protocol. | 173 | the protocol. |
| 167 | 174 | ||
| @@ -189,7 +196,7 @@ is a sequence of zero or more tuples: | |||
| 189 | string data | 196 | string data |
| 190 | 197 | ||
| 191 | Options must be lexically ordered by "name" if they appear in the | 198 | Options must be lexically ordered by "name" if they appear in the |
| 192 | sequence. | 199 | sequence. Each named option may only appear once in a certificate. |
| 193 | 200 | ||
| 194 | The name field identifies the option and the data field encodes | 201 | The name field identifies the option and the data field encodes |
| 195 | option-specific information (see below). All options are | 202 | option-specific information (see below). All options are |
| @@ -220,7 +227,9 @@ Extensions | |||
| 220 | 227 | ||
| 221 | The extensions section of the certificate specifies zero or more | 228 | The extensions section of the certificate specifies zero or more |
| 222 | non-critical certificate extensions. The encoding and ordering of | 229 | non-critical certificate extensions. The encoding and ordering of |
| 223 | extensions in this field is identical to that of the critical options. | 230 | extensions in this field is identical to that of the critical options, |
| 231 | as is the requirement that each name appear only once. | ||
| 232 | |||
| 224 | If an implementation does not recognise an extension, then it should | 233 | If an implementation does not recognise an extension, then it should |
| 225 | ignore it. | 234 | ignore it. |
| 226 | 235 | ||
| @@ -253,4 +262,4 @@ permit-user-rc empty Flag indicating that execution of | |||
| 253 | of this script will not be permitted if | 262 | of this script will not be permitted if |
| 254 | this option is not present. | 263 | this option is not present. |
| 255 | 264 | ||
| 256 | $OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $ | 265 | $OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $ |