Add support for the required extensions
Bug #1495392 reported by
Stanislaw Pitucha
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Anchor |
Fix Released
|
Medium
|
Unassigned |
Bug Description
RFC5280 says that effectively Anchor MUST understand the following extensions:
key identifiers (see sec. 4.2.1.1 and 4.2.1.2)
key usage (see sec. 4.2.1.3),
certificate policies (see sec. 4.2.1.5),
the subject alternative name (see sec. 4.2.1.7),
basic constraints (see sec. 4.2.1.10),
name constraints (see sec. 4.2.1.11),
policy constraints (see sec. 4.2.1.12),
extended key usage (see sec. 4.2.1.13).
Anchor needs to either support these extensions or document that/why they're ignored.
Changed in anchor: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I'm all for supporting these, however, some don't make as much sense for Anchor as other systems; certificate policies for example can be implemented CA side - particularly after we change to simply extracting things we care about. Certain features like enabling code signing don't map well to ephemeral PKI and can probably be ignored too.