> One of the most common ACME deployment failures observed in practice is > for servers to be configured to serve only the end-entity certificate, > without the intermediate certificates. This is a particularly pernicious > problem because some browsers will still trust the resulting > one-certificate chain, due to caching or fetching of URLs from Authority > Information Access. But other browsers will not, resulting in a "works > on my computer" problem. > > Arguably this configuration is the result of incorrect clients, but we > should expect that most clients will do the easiest thing. This change > aligns the easiest thing with the most correct thing.
- What happens to Link rel=up? You've left it in. - What about certificates signed by an intermediate with multiple signers, and thus multiple actual intermediate certificates for the same intermediate Subject/public key? I'm not sure but I think there was some discussion on the list about using multiple Link rel=up headers to express a reverse tree (end entity -> { intermediate-signer1 -> signer1 | intermediate-signer2 -> signer2 }.) _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme