> > Separately, as long as we're raising issues with RFC 8366, I strongly
> > believe that the pinned-domain-certificate should've be a list of
> > certificates. Or, in crypto-types [1] terms, a trust-anchor-cert-cms,
> > not a trust-anchor-cert-x509. To enable the pinned-domain-certificate
> > for an intermediate CA to be a chain that includes the root self-signed
> > certificate, thus supporting tooling unable to validate partial-chains.
>
> I believe that a future version could make this change relatively easily,
> particularly if we do it quickly. Destinguishing between arrays of 1-element
> and single-items isn't that difficult in the serializations we have.
By "future version", do you mean an rfc8366bis?
If open to that, I could draft an I-D...
K.
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
