Stephen Kent <kent@xxxxxxx> writes:
As I noted earlier in my messages, I think it would be appropriate to include
these extensions in path validation. In fact, I raised this issue over a year
ago in discussions with Sharon and Sanrtosh. But, X.509 does not allow this at
this time.
If there's consensus that this is a good idea, why not just change it? PKIX is bigger than X.509 (does anyone still work from X.509 rather than going straight to the PKIX sources)? I know that PKIX was originally started to profile X.509 for Internet use, but it's been running (or at least shuffling) as a full parallel standards group for years since then. PKIX is the dog, X.509 is its vestigial tail, why not wag it?
(I'm not trying to pick a fight with the X.509 folks, it's just a pain having two (more if you include ETSI and other groups) parallel standards bodies all busy cutting&pasting each other's work as they play Chinese Whispers with the spec, with sundry propagation delays, inconsistencies, and errors introduced along the way).