[Cryptech Tech] Restricting CA signing

Sean Turner turners at ieca.com
Fri Jan 30 22:39:55 UTC 2015

Previous message: [Cryptech Tech] Restricting CA signing
Next message: [Cryptech Tech] Restricting CA signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 30, 2015, at 17:32, Rob Austein <sra at hactrn.net> wrote:

>   For RPKI checking in the Cryptech context, my candidate list of
>   critical fields would be:
> 
>   - Validity interval (same issue as Jakob's for DNSSEC)
> 
>   - Issuer key / issuer name (more on this below)
> 
>   - BC, SIA and CRLDP extensions.

Should it also include KU and CP which are critical?  I’d be concerned if a DH key was used to sign stuff.  I’m less sure about CP though.

spt

Previous message: [Cryptech Tech] Restricting CA signing
Next message: [Cryptech Tech] Restricting CA signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list