Quentin Retourne

@alex wondering if there are best practices for certificates: better store it in `vectors` or dynamically create one during testing with the `x509.CertificateBuilder`?

OK, I'll go with storing it in vectors then. Mostly doing it for coverage.

Hey, just pushed a first version of the constraints for certificates used as EE for email signing & verification. > Section 4.4.4 also discusses some limitations regarding certificates which may...

Totally agree with you @prauscher, for CA I'd either leave it as a `.permit_all()` or a `.webpki_defaults_ca()`. Any opinion on this is welcome 😄 For the changes, feel free to...

> As per [[RFC5280](https://www.rfc-editor.org/rfc/rfc5280)], certificates MUST contain a basicConstraints extension in CA certificates and SHOULD NOT contain that extension in end-entity certificates. Since this is specified in https://www.rfc-editor.org/rfc/rfc8550#section-4.4, I'll go...

First suggestions integrated, missing: - Testing with inappropriate certificates, for coverage - Handling the SubjectAlternativeName constraint defined [here](https://www.rfc-editor.org/rfc/rfc8550#section-4.4.3)

Thanks for the code! I'm unsure about specifying all the time an email address in the extension policy. To me, it seems a bit too restrictive (?). Moreover, it seems...

Hey; coming back on this subject after a few months on a big project. Thanks for the heads up! Will check what's wrong with my current build, rebase to master...

It seems I'm missing on coverage as of now. You can check [this run](https://github.com/pyca/cryptography/actions/runs/15495936796/job/43632929728) for more details. @prauscher if you have any idea on how make the tests cover the...

Thanks to your explanations I understood what the what the `-> exit` meant in the cases 1 and 4. I'll fix this asap 😄 Also, I've already built certificates to...