My feelings are similar to Richard's. There are probably some niche
usecases for this feature that merit thought but I think it would benefit
from larger design discussion. Given that we're very close to finishing the
base specification and there hasn't been significant demand for this to
date I think it makes the most sense to defer for a follow up.

On Fri, Aug 10, 2018 at 9:16 AM, Richard Barnes <> wrote:

> Hi Felix,
> Thanks for reflecting this back to the list.  The concrete implementation
> concerns are helpful.
> I'm concerned that the need here is more than just a simple MIME
> parameter.  The MIME parameter is just an aspect of the media type; it just
> tells you what's in the object you're looking at.  It sounds like for your
> use cases, you would also need a way for the client to *request* that the
> root be included.  In fact, it's not clear to me that you need the MIME
> parameter if you have that.
> In addition, I think these concerns can be handled cleanly in an
> extension, e.g., by adding an optional field to the new-order object that
> requests the root cert be included.
> So while I'm not opposed to addressing this issue in general, I'll propose
> that we not address this in the base spec.
> --Richard
> On Fri, Aug 10, 2018 at 6:38 AM Felix Fontein <
>> wrote:
>> Hello,
>> this came up in the discussion of
>> ("An optional MIME
>> parameter for  application/pem-certificate-chain?"). I'm interested in
>> a reliable way to retrieve the root certificate, resp. the complete
>> certificate chain including a root certificate. This is sometimes
>> needed, for example for setting up an AWS ELB load balancer, or for
>> configuring OCSP verification in nginx, and also to simply verify the
>> validity of the returned chain down to the root.
>> During the discussion in the Github issue, Logan Widick suggested a
>> boolean MIME parameter (with suggested name "includeroot") for
>> application/pem-certificate-chain.
>> Since the issue (originally about another MIME parameter) is now
>> closed, I want to bring this suggestion up on the mailing list. My
>> suggestion would be that this parameter is optional (with no explicit
>> default value, i.e. the default is to do what the ACME server already
>> did before), and a formulation which suggests the server SHOULD respect
>> this parameter. I think the name "includeroot" is fine, but it could
>> also be "include-root" or something different.
>> Are there any opinions on this?
>> Thanks and best regards,
>> Felix Fontein
>> _______________________________________________
>> Acme mailing list
> _______________________________________________
> Acme mailing list
Acme mailing list

Reply via email to