[Cryptech Tech] Restricting CA signing

Rob Austein sra at hactrn.net
Fri Jan 30 22:56:32 UTC 2015

Previous message: [Cryptech Tech] Restricting CA signing
Next message: [Cryptech Tech] Restricting CA signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At Fri, 30 Jan 2015 17:39:55 -0500, Sean Turner wrote:
> 
> On Jan 30, 2015, at 17:32, Rob Austein <sra at hactrn.net> wrote:
> 
> >   For RPKI checking in the Cryptech context, my candidate list of
> >   critical fields would be:
> > 
> >   - Validity interval (same issue as Jakob's for DNSSEC)
> > 
> >   - Issuer key / issuer name (more on this below)
> > 
> >   - BC, SIA and CRLDP extensions.
> 
> Should it also include KU and CP which are critical?  I?d be
> concerned if a DH key was used to sign stuff.  I?m less sure about
> CP though.

I would class KU and CP as extensions for which errors would cause
immediate validation failure, and which thus need not be checked by
the HSM itself.  I could be wrong.

Previous message: [Cryptech Tech] Restricting CA signing
Next message: [Cryptech Tech] Restricting CA signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list