Some time ago, in the last year, while the details of EV were getting worked out, I read a message from a representative of a CA whose root(s) are in Firefox. He wrote that to resolve certain issues with some browsers using new roots and other browsers using old roots, his CA was advising customers to configure their servers to send out all the certs needed to build a chain to either of those roots. If I recall correctly, he used the word "shotgun" to describe this technique. Sadly for me, I do not remember who wrote that comment, or what CA he represented, or to which mailing list he sent that message, and I cannot find that message. So now I'm writing to this group in hopes that that person reads this list.
If you are the CA representative who wrote about that, please write to me and tell me if there is any public information about your technique. I write this because the IETF TLS working group is now considering whether to refine the next TLS RFC to speak to certain related issues. It has been proposed to change the text in the next TLS RFC to explicitly disallow the sending of anything but a single cert chain, from leaf to root. I'd like to offer pointers to any public information about that "shotgun" technique as evidence that the alternative (sending certs that are NOT necessarily a single chain) is being used to good advantage on the Internet today. Regards, /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
