[foaf-protocols] FOAF+SSL and root certificates

Story Henry henry.story at bblfish.net
Mon Feb 15 00:18:29 CET 2010

On 14 Feb 2010, at 21:37, Bruno Harbulot wrote:

> Defining a pseudo CA-certificate with CN=FOAF+SSL (for example) would just allow those resources that don't use a CA to ask for a FOAF+SSL certificate (rather than just any certificate), provided we all agree on which DN to use.
> If this is what we end up doing (this seems sensible), I would recommend that all parties emitting FOAF+SSL certificates put a sufficiently random serial number in their certificates (e.g. based on a UUID), to avoid conflicts for applications that keep track of certificates based on their serial numbers.

In http://tools.ietf.org/html/rfc4346#section-7.4.4

it says:

    ClientCertificateType values are divided into three groups:

      1. Values from 0 (zero) through 63 decimal (0x3F) inclusive are
         reserved for IETF Standards Track protocols.

      2. Values from 64 decimal (0x40) through 223 decimal (0xDF)
         inclusive are reserved for assignment for non-Standards Track

      3. Values from 224 decimal (0xE0) through 255 decimal (0xFF)
         inclusive are reserved for private use.

Perhaps we could use one of these numbers, instead? That seems like it would be more appropriate.


More information about the foaf-protocols mailing list