merge 6.1p1

author: Colin Watson <cjwatson@debian.org> 2012-09-06 23:20:10 +0100
committer: Colin Watson <cjwatson@debian.org> 2012-09-06 23:20:10 +0100
commit: c6a2c0334e45419875687d250aed9bea78480f2e (patch)
tree: d8f01bef9f3921fa1ca7592a19474be9c8349f76 /PROTOCOL.certkeys
parent: dd5ed53e20d218607260916a6b04d1c8c5b3d88f (diff)
parent: 8b13b5bdc4f19bd52ee673104d66b71c21153b96 (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 2f9764981..c98591093 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -162,6 +162,13 @@ extensions is a set of zero or more optional extensions. These extensions
 are not critical, and an implementation that encounters one that it does
 not recognise may safely ignore it.
+Generally, critical options are used to control features that restrict
+access where extensions are used to enable features that grant access.
+This ensures that certificates containing unknown restrictions do not
+inadvertently grant access while allowing new protocol features to be
+enabled via extensions without breaking certificates' backwards
+compatibility.
 The reserved field is currently unused and is ignored in this version of
 the protocol.
@@ -189,7 +196,7 @@ is a sequence of zero or more tuples:
    string       data
 Options must be lexically ordered by "name" if they appear in the
-sequence.
+sequence. Each named option may only appear once in a certificate.
 The name field identifies the option and the data field encodes
 option-specific information (see below). All options are
@@ -220,7 +227,9 @@ Extensions
 The extensions section of the certificate specifies zero or more
 non-critical certificate extensions. The encoding and ordering of
-extensions in this field is identical to that of the critical options.
+extensions in this field is identical to that of the critical options,
+as is the requirement that each name appear only once.
 If an implementation does not recognise an extension, then it should
 ignore it.
@@ -253,4 +262,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                      of this script will not be permitted if
                                      this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $
author	Colin Watson <cjwatson@debian.org>	2012-09-06 23:20:10 +0100
committer	Colin Watson <cjwatson@debian.org>	2012-09-06 23:20:10 +0100
commit	c6a2c0334e45419875687d250aed9bea78480f2e (patch)
tree	d8f01bef9f3921fa1ca7592a19474be9c8349f76 /PROTOCOL.certkeys
parent	dd5ed53e20d218607260916a6b04d1c8c5b3d88f (diff)
parent	8b13b5bdc4f19bd52ee673104d66b71c21153b96 (diff)

diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 2f9764981..c98591093 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys
@@ -162,6 +162,13 @@ extensions is a set of zero or more optional extensions. These extensions
162	are not critical, and an implementation that encounters one that it does	162	are not critical, and an implementation that encounters one that it does
163	not recognise may safely ignore it.	163	not recognise may safely ignore it.
164		164
		165	Generally, critical options are used to control features that restrict
		166	access where extensions are used to enable features that grant access.
		167	This ensures that certificates containing unknown restrictions do not
		168	inadvertently grant access while allowing new protocol features to be
		169	enabled via extensions without breaking certificates' backwards
		170	compatibility.
		171
165	The reserved field is currently unused and is ignored in this version of	172	The reserved field is currently unused and is ignored in this version of
166	the protocol.	173	the protocol.
167		174
@@ -189,7 +196,7 @@ is a sequence of zero or more tuples:
189	string data	196	string data
190		197
191	Options must be lexically ordered by "name" if they appear in the	198	Options must be lexically ordered by "name" if they appear in the
192	sequence.	199	sequence. Each named option may only appear once in a certificate.
193		200
194	The name field identifies the option and the data field encodes	201	The name field identifies the option and the data field encodes
195	option-specific information (see below). All options are	202	option-specific information (see below). All options are
@@ -220,7 +227,9 @@ Extensions
220		227
221	The extensions section of the certificate specifies zero or more	228	The extensions section of the certificate specifies zero or more
222	non-critical certificate extensions. The encoding and ordering of	229	non-critical certificate extensions. The encoding and ordering of
223	extensions in this field is identical to that of the critical options.	230	extensions in this field is identical to that of the critical options,
		231	as is the requirement that each name appear only once.
		232
224	If an implementation does not recognise an extension, then it should	233	If an implementation does not recognise an extension, then it should
225	ignore it.	234	ignore it.
226		235
@@ -253,4 +262,4 @@ permit-user-rc empty Flag indicating that execution of
253	of this script will not be permitted if	262	of this script will not be permitted if
254	this option is not present.	263	this option is not present.
255		264
256	$OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $	265	$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $