I think the I-D exists.
I think the I-D is or will be allocated in naming extensions.
however, it's going to be longer than we have before we get that OID
and can depend on it.
I think that we're going to have to start out double importing the same
security context and move to the new OID when it exists in a year or
two.
My assumption here is that while double importing a context is
architecturally wrong, if you only use the name in one of the two forks
of the context it will work in practice for the mechanisms we care about
(Kerberos, EAP, SAML-EC, most PKI mechanisms).
If that assumption is wrong, we can push harder to try and get the OID
assigned and to try and get functionality into mech glues in a patch
release.
basically, I'm asking why we want to hurry for this issue.
|