On Sun, Mar 12, 2017 at 12:54 PM, Jacob Hoffman-Andrews <[email protected]> wrote:
> On 03/12/2017 12:50 PM, Salz, Rich wrote: > > What about saying each certificate SHOULD be a signer on *A* preceding > certificate? This allows us to serve a single cert chain for both MD5 and > SHA1, for example. (Contrived examples of course.) > I think the current language (copied from TLS 1.3) conveys that, though > it's a bit subtle: > > > Each following certificate SHOULD directly certify one preceding it. > Note: this used to be a MUST-level requirement, but due to the complexities of the deployed PKI, in 1.3 it was relaxed to be a SHOULD. -Ekr > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
