Hi Felix, Thanks for reflecting this back to the list. The concrete implementation concerns are helpful.
I'm concerned that the need here is more than just a simple MIME parameter. The MIME parameter is just an aspect of the media type; it just tells you what's in the object you're looking at. It sounds like for your use cases, you would also need a way for the client to *request* that the root be included. In fact, it's not clear to me that you need the MIME parameter if you have that. In addition, I think these concerns can be handled cleanly in an extension, e.g., by adding an optional field to the new-order object that requests the root cert be included. So while I'm not opposed to addressing this issue in general, I'll propose that we not address this in the base spec. --Richard On Fri, Aug 10, 2018 at 6:38 AM Felix Fontein <felix= [email protected]> wrote: > Hello, > > this came up in the discussion of > https://github.com/ietf-wg-acme/acme/issues/435 ("An optional MIME > parameter for application/pem-certificate-chain?"). I'm interested in > a reliable way to retrieve the root certificate, resp. the complete > certificate chain including a root certificate. This is sometimes > needed, for example for setting up an AWS ELB load balancer, or for > configuring OCSP verification in nginx, and also to simply verify the > validity of the returned chain down to the root. > > During the discussion in the Github issue, Logan Widick suggested a > boolean MIME parameter (with suggested name "includeroot") for > application/pem-certificate-chain. > > Since the issue (originally about another MIME parameter) is now > closed, I want to bring this suggestion up on the mailing list. My > suggestion would be that this parameter is optional (with no explicit > default value, i.e. the default is to do what the ACME server already > did before), and a formulation which suggests the server SHOULD respect > this parameter. I think the name "includeroot" is fine, but it could > also be "include-root" or something different. > > Are there any opinions on this? > > Thanks and best regards, > Felix Fontein > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
