>> It's actually easier to do all or nothing. I'm tempted to just report
>> 'critical' extensions.
>
> Simpler to provide them all
I very much doubt that, at least if you want to report decoded
information. Conceptually, there is an infinite number of extensions,
and when you are done, I can show you lots of certificates that
have extensions that you don't support.
> This certificate has already been validated; the issue is
> how to get critical information to the app so it can make
> authorization decisions (like subjectAltName when the subject field is
> empty)
> {'extensions': {'1.3.6.1.5.5.7.1.12': u'',
> 'Authority Information Access': u'OCSP -
> URI:http://EVIntl-ocsp.verisign.com\n',
> 'X509v3 Authority Key Identifier':
> u'keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF\n',
> 'X509v3 Basic Constraints': u'CA:FALSE',
> 'X509v3 CRL Distribution Points':
> u'URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl\n',
> 'X509v3 Certificate Policies': u'Policy:
> 2.16.840.1.113733.1.7.23.6\n',
> 'X509v3 Extended Key Usage': u'TLS Web Server
> Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto,
> Microsoft Server Gated Crypto',
> 'X509v3 Key Usage': u'Digital Signature, Key
> Encipherment',
> 'X509v3 Subject Key Identifier':
> u'F1:5A:89:93:55:47:4B:BA:51:F5:4E:E0:CB:16:55:F4:D7:CC:38:67'},
Hmm. In this certificate, none of the extensions you report have been
marked critical; they are all non-critical.
Also, you are reporting the logotype (1.3.6.1.5.5.7.1.12) incorrectly;
it's defined in RFC 3709, and it's definitely not an empty string in
the certificate you've used.
Regards,
Martin
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
