summaryrefslogtreecommitdiff
path: root/PROTOCOL.certkeys
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-04-22 11:08:30 +1000
committerDamien Miller <djm@mindrot.org>2012-04-22 11:08:30 +1000
commit48348fc3b4455df8112d4e1b6de5b4f0779be875 (patch)
treea8b918019d6ee2ddc0e1028213ae92f44dff6351 /PROTOCOL.certkeys
parent29cd1888873d453f28609d8b301062cbaa4ab4d8 (diff)
- djm@cvs.openbsd.org 2012/03/28 07:23:22
[PROTOCOL.certkeys] explain certificate extensions/crit split rationale. Mention requirement that each appear at most once per cert.
Diffstat (limited to 'PROTOCOL.certkeys')
-rw-r--r--PROTOCOL.certkeys15
1 files changed, 12 insertions, 3 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 2f9764981..c98591093 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -162,6 +162,13 @@ extensions is a set of zero or more optional extensions. These extensions
162are not critical, and an implementation that encounters one that it does 162are not critical, and an implementation that encounters one that it does
163not recognise may safely ignore it. 163not recognise may safely ignore it.
164 164
165Generally, critical options are used to control features that restrict
166access where extensions are used to enable features that grant access.
167This ensures that certificates containing unknown restrictions do not
168inadvertently grant access while allowing new protocol features to be
169enabled via extensions without breaking certificates' backwards
170compatibility.
171
165The reserved field is currently unused and is ignored in this version of 172The reserved field is currently unused and is ignored in this version of
166the protocol. 173the protocol.
167 174
@@ -189,7 +196,7 @@ is a sequence of zero or more tuples:
189 string data 196 string data
190 197
191Options must be lexically ordered by "name" if they appear in the 198Options must be lexically ordered by "name" if they appear in the
192sequence. 199sequence. Each named option may only appear once in a certificate.
193 200
194The name field identifies the option and the data field encodes 201The name field identifies the option and the data field encodes
195option-specific information (see below). All options are 202option-specific information (see below). All options are
@@ -220,7 +227,9 @@ Extensions
220 227
221The extensions section of the certificate specifies zero or more 228The extensions section of the certificate specifies zero or more
222non-critical certificate extensions. The encoding and ordering of 229non-critical certificate extensions. The encoding and ordering of
223extensions in this field is identical to that of the critical options. 230extensions in this field is identical to that of the critical options,
231as is the requirement that each name appear only once.
232
224If an implementation does not recognise an extension, then it should 233If an implementation does not recognise an extension, then it should
225ignore it. 234ignore it.
226 235
@@ -253,4 +262,4 @@ permit-user-rc empty Flag indicating that execution of
253 of this script will not be permitted if 262 of this script will not be permitted if
254 this option is not present. 263 this option is not present.
255 264
256$OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $ 265$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $