I'm not sure how helpful this is, but we've typically found that allowing a
client to specify certificate delivery in one of 3 formats addresses >99%
of use-cases. I would shy away from connecting this to the MIME parameter
and would prefer something along the lines of what Richard offered as an
Thanks for taking a look. I’ve opened
https://github.com/rolandshoemaker/acme-tls-alpn/pull/6/files to address most
of these comments.
For (4) the plan is to simply version it as suggested, that’s why we went with
a two part OID with the base and then a versioned extension. If we need to
In general, the root of a chain is often "out of band" and you don't send it.
The receiving party gets a cert chain, and validates everything to make sure
that it lists up to a root that is in their local trust store. They maintain
and decide what's in that trust store, via out-of-band
My feelings are similar to Richard's. There are probably some niche
usecases for this feature that merit thought but I think it would benefit
from larger design discussion. Given that we're very close to finishing the
base specification and there hasn't been significant demand for this to
date I
This version just addresses a bunch of small things found during IETF LC.
EKR: I think this is ready for the IESG's consideration.
Thanks,
--Richard
On Fri, Aug 10, 2018 at 9:24 AM wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Automated Certificate Management Environment
WG of the IETF.
Title : Automatic Certificate Management Environment (ACME)
Authors : Richard Barnes
Hello,
this came up in the discussion of
https://github.com/ietf-wg-acme/acme/issues/435 ("An optional MIME
parameter for application/pem-certificate-chain?"). I'm interested in
a reliable way to retrieve the root certificate, resp. the complete
certificate chain including a root certificate.