I appreciate the sentiment. It seems morally right that the PKI should be that simple. But in practice, it's not. That's why the world needs tools like Ubiquity that have full scoring algorithms:
https://godoc.org/github.com/cloudflare/cfssl/ubiquity On Sun, Oct 2, 2016 at 9:15 PM, Andrew Ayer <a...@andrewayer.name> wrote: > On Sun, 2 Oct 2016 11:49:47 -0400 > Richard Barnes <r...@ipv.sx> wrote: > > > This change seems to suppose that there is One True Cert Chain, and > > the CA is the one to provide it. Clearly neither of these is true. > > I disagree. The One True Cert Chain is the shortest chain that will be > trusted by the most platforms, weighted by the platforms' market > shares. Building this certificate chain is complicated and requires > knowledge of PKI and access to every platform's trust store. Clients > and their implementers shouldn't be expected to have either, but the CA > certainly has both. > > A small minority of people may require a different chain (e.g. they're > willing to forgo some platforms to get a smaller TLS handshake, or they > need a different cross-sign so they can support a platform that didn't > make the cut for the default chain). Those users can request the DER > version and use rel=up to construct their own chain. I think it's > reasonable to use multiple rel=up links if there is more than one issuer > certificate. > > A CA-provided default chain will save clients a lot of work and prevent > a lot of errors. +1 for Jacob's change. > > Regards, > Andrew >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
