Roland Bracewell Shoemaker
Roland Bracewell Shoemaker
We obviously didn't get to this for 1.20 (sorry), but it is something on my radar to look at in 1.21.
> One thing I'm worried about is that if we ever add a new constraint to `NSSCert`, code written against an old version will consider them unconstrained. Is it worth...
We have an inflight CL for this, I'd like to get this in ASAP rather than updating the release notes, but at some point that may be prudent.
(I realized I forgot the `golang/go` prefix for the Fixes line 🤦)
I think we previously discussed making the name of the package somewhat generic, in part in case we wanted to provide multiple different trust stores in the future (hence it's...
Oh sorry, I completely missed your last comment after we talked. Switching to Certificate definitely makes sense and adding Kind on Constraint seems reasonable, and I like that it prevents...
Sounds good to me.
This seems like something that would likely be useful in general for people writing `Config.GetCertificate` functions. We _kind of_ have an inverse version of this already with `ClientHelloInfo.SupportsCertificate`, but that...
> I tried pulling in this change in go 1.21.6 and it appears `P521` support was dropped with `GOEXPERIMENT=boringcrypto` and `import _ crypto/tls/fipsonly`. > > It looks like it was...
I don't think we want to add transparent support for IMPLICIT values, if you expect to parse an EXPLICIT field, but get an IMPLICIT field, that seems like it should...