@@ -3203,54 +3203,50 @@ The form of the PGP signatures depends on several factors, therefore no stipulat
-Client certificates include the following extensions:.
+ Client certificates include the following extensions:
--
- basicConstraints=CA:FALSE (critical)
-
-
- keyUsage=digitalSignature,keyEncipherment,cRLSign
-
-
-
-
- extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
-
-
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-
-
- subjectAltName=(as per §3.1.1.).
-
+
+ - basicConstraints=CA:FALSE (critical)
+ - keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)
+ - extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
+ - authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
+ - crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found
+ - subjectAltName=(as per §3.1.1.).
+
- what about Client Certificates Adobe Signing extensions ?
- SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6
-
-Server certificates include the following extensions:
+ Server certificates include the following extensions:
--
- basicConstraints=CA:FALSE (critical)
-
-
- keyUsage=digitalSignature,keyEncipherment
-
-
- extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
-
-
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-
-
- subjectAltName=(as per §3.1.1.).
-
+
+ - basicConstraints=CA:FALSE (critical)
+ - keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)
+ - extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
+ - authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
+ - crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found
+ - subjectAltName=(as per §3.1.1.).
+
-Code-Signing certificates include the following extensions:
+ Code-Signing certificates include the following extensions:
-
--
- basicConstraints=CA:FALSE (critical)
-
-
- keyUsage=digitalSignature,keyEncipherment
-
-
- extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-
-
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-
+
+ - basicConstraints=CA:FALSE (critical)
+ - keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)
+ - extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
+ - authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
+ - crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found
+ - subjectAltName=(as per §3.1.1.).
+
- what about subjectAltName for Code-signing