On Tuesday, 14 February 2017 13:47:51 UTC, Steve Medin wrote: > - PKCS#7 chains are indeed not a requirement, but see point 1. It’s > probably no coincidence that IIS supports it given awareness of the demands > placed on enterprise IT admins.
I don't see how PKCS#7 offers any advantage at all. I end up helping lots of ordinary people with certificate installation (on things which are more or less web servers, and other things), which today mostly means Let's Encrypt because even though Let's Encrypt focuses on automation that $0 price point is very attractive without the automation when you've got no idea what you're doing. Not once have I thought "This would be easier with PKCS#7". Literally I've never even had to walk a user through how to make a PKCS#7 file, because it never comes up. In addition to PEM they've needed JKS and PKCS#12 and ZIP files but never PKCS#7. When it comes to installation, the main problem is usually the awful UX in the GUI they're trying to use. Invalid inputs are often swallowed with no visible commentary or result, let alone helpful error messages; the system may expect them to wait for a lengthy restart or reboot before their changes take effect; and nomenclature is arbitrary, one program's "CA Cert" is another's "Chain File" and yet another's "Intermediate Certificates". I would pressure server vendors to clean this up, except that really in most cases what they actually need to do is embrace at least one of the automation options and bake that into their software instead. We didn't make the safety elevator easier to use by affixing a great many wordy instruction panels about the correct means of closing the doors and sequence of operation for the motors, we just made the machine smarter so that all the humans do is press a floor button and try to avoid eye-contact with strangers. As a result even an illiterate child can confidently operate such an elevator once they can reach the buttons. Nobody would purchase an old-style manual elevator today even if it were available a little cheaper from a major manufacturer, it's just not worth the hassle. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy