On Mon, 3 Oct 2016 08:00:38 -0400 Richard Barnes <[email protected]> wrote:
> I appreciate the sentiment. It seems morally right that the PKI > should be that simple. But in practice, it's not. That's why the > world needs tools like Ubiquity that have full scoring algorithms: > > https://godoc.org/github.com/cloudflare/cfssl/ubiquity Right, and it's the CA that should be integrating something like Ubiquity in order to determine the default chain. The CLI tool for Ubiquity supports an option called "ubiquitous", which according to the documentation generates "a bundle of most widely acceptance across different browsers and OS platforms."[1] How often do you think clients would not want "ubiquitous"? Enough to make every single client depend on Ubiquity or a library of similar complexity? Regards, Andrew [1] https://github.com/cloudflare/cfssl/blob/master/README.md _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
