> One of the most common ACME deployment failures observed in practice is
> for servers to be configured to serve only the end-entity certificate,
> without the intermediate certificates. This is a particularly pernicious
> problem because some browsers will still trust the resulting
> one-certificate chain, due to caching or fetching of URLs from Authority
> Information Access. But other browsers will not, resulting in a "works
> on my computer" problem.
>
> Arguably this configuration is the result of incorrect clients, but we
> should expect that most clients will do the easiest thing. This change
> aligns the easiest thing with the most correct thing.
- What happens to Link rel=up? You've left it in.
- What about certificates signed by an intermediate with multiple
signers, and thus multiple actual intermediate certificates for the
same intermediate Subject/public key? I'm not sure but I think there
was some discussion on the list about using multiple Link rel=up
headers to express a reverse tree
(end entity -> { intermediate-signer1 -> signer1
| intermediate-signer2 -> signer2 }.)
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
