[Python-Dev] frozenset C API?

["Martin v. Löwis"]

>> It's actually easier to do all or nothing.  I'm tempted to just report
>> 'critical' extensions.
> 
> Simpler to provide them all

I very much doubt that, at least if you want to report decoded
information. Conceptually, there is an infinite number of extensions,
and when you are done, I can show you lots of certificates that
have extensions that you don't support.

> This certificate has already been validated; the issue is
> how to get critical information to the app so it can make
> authorization decisions (like subjectAltName when the subject field is
> empty)

>       {'extensions': {'1.3.6.1.5.5.7.1.12': u'',
>                       'Authority Information Access': u'OCSP - URI:http://EVIntl-ocsp.verisign.com\n',
>                       'X509v3 Authority Key Identifier': u'keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF\n',
>                       'X509v3 Basic Constraints': u'CA:FALSE',
>                       'X509v3 CRL Distribution Points': u'URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl\n',
>                       'X509v3 Certificate Policies': u'Policy: 2.16.840.1.113733.1.7.23.6\n',
>                       'X509v3 Extended Key Usage': u'TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto',
>                       'X509v3 Key Usage': u'Digital Signature, Key Encipherment',
>                       'X509v3 Subject Key Identifier': u'F1:5A:89:93:55:47:4B:BA:51:F5:4E:E0:CB:16:55:F4:D7:CC:38:67'},

Hmm. In this certificate, none of the extensions you report have been
marked critical; they are all non-critical.

Also, you are reporting the logotype (1.3.6.1.5.5.7.1.12) incorrectly;
it's defined in RFC 3709, and it's definitely not an empty string in
the certificate you've used.

Regards,
Martin