Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: doc: clarify package is aimed towards Web PKI support #26624

Closed
adamdecaf opened this issue Jul 26, 2018 · 7 comments
Closed

crypto/x509: doc: clarify package is aimed towards Web PKI support #26624

adamdecaf opened this issue Jul 26, 2018 · 7 comments
Labels
Documentation FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@adamdecaf
Copy link
Contributor

It's been noted before that crypto/x509 is aimed towards only supporting the Web PKI. (See: #16858 (comment) and #24151 (comment)) However the documentation doesn't clearly state that.

This means it's a bit unclear what to expect from this package.

  • Is it valid for SystemCertPool() to return certificates for email signing?
  • How forgiving should parsing / validation be?
  • What level of extensibility (re: OID's) should be supported?

Explaining non-goals would also be helpful.

@gopherbot
Copy link

Change https://golang.org/cl/126136 mentions this issue: crypto/x509: clarify package is for the web pki

@adamdecaf
Copy link
Contributor Author

cc @FiloSottile

@ianlancetaylor ianlancetaylor changed the title doc: crypto/x509: clarify package is aimed towards Web PKI support crypto/x509: doc: clarify package is aimed towards Web PKI support Aug 3, 2018
@ianlancetaylor ianlancetaylor added the NeedsFix The path to resolution is known, but the work has not been done. label Aug 3, 2018
@ianlancetaylor ianlancetaylor added this to the Go1.12 milestone Aug 3, 2018
@odeke-em
Copy link
Member

Kindly paging @FiloSottile, @agl commented on the CL, please take a look. Thank you.

@andybons andybons modified the milestones: Go1.12, Go1.13 Feb 12, 2019
@andybons andybons modified the milestones: Go1.13, Go1.14 Jul 8, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
@FiloSottile
Copy link
Contributor

I think this would also be important in terms of ensuring the package can evolve as the PKI does. However, in practice we do support custom roots, so we can't just say "WebPKI only". What about this wording?

This package targets a profile of X.509 compatible with the WebPKI and other PKIs that follow the current CA/Browser Forum Baseline Requirements.

@sleevi, any opinions?

@sleevi
Copy link

sleevi commented Jul 3, 2020

Yeah, I can't think of any better way to frame it, especially since you support things that are not permitted by the "Web PKI" profile (e.g. URI nameConstraints). Removing support for something the Web PKI removes support for is consistent with keeping the profiles compatible, while it's clear you don't limit support to exactly that profile.

@gopherbot
Copy link

Change https://golang.org/cl/241118 mentions this issue: crypto/x509: clarify package use-case and implementation reasoning

@FiloSottile FiloSottile modified the milestones: Backlog, Go1.16 Oct 20, 2020
@FiloSottile FiloSottile self-assigned this Oct 20, 2020
@gopherbot
Copy link

Change https://golang.org/cl/266541 mentions this issue: crypto/x509: expand package docs and clarify package target

@golang golang locked and limited conversation to collaborators Nov 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Documentation FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

9 participants