Re: [Acme] Discovery of directory URL

2018-03-12 Thread Alan Doherty
I wouldn't be a fan At 19:02 12/03/2018 Monday, Azoff, Justin S wrote: >I've been investigating the possibility of offering an ACME compatible >endpoint for local users >to use to obtain certificates through our normal CA process. One of the >issues I have identified >is that if I were to

[Acme] Discovery of directory URL

2018-03-12 Thread Azoff, Justin S
I've been investigating the possibility of offering an ACME compatible endpoint for local users to use to obtain certificates through our normal CA process. One of the issues I have identified is that if I were to run a local ACME server, every client would have to be configured to point at

Re: [Acme] Certificate chains including roots

2018-03-12 Thread Martin Thomson
The usage model I think we should aim for is where chains are used as-is. For instance, the chain is fed straight to the HTTPS server. There is reasonably strong advice against sending trust anchor certificates over the wire, and most software simply spools out everything it is given. I thought

Re: [Acme] Certificate chains including roots

2018-03-12 Thread Jörn Heissler
On Mon, Mar 12, 2018 at 16:01:24 +0100, Philipp Junghannß wrote: > But isn't the point of this proposal that the client CANNOT be expected > knowing the root like with DANE/TLSA'd servers with a custom root or > whatever? I must admit that I'm not very familiar with DANE. What would be a typical

Re: [Acme] Certificate chains including roots

2018-03-12 Thread Philipp Junghannß
But isn't the point of this proposal that the client CANNOT be expected knowing the root like with DANE/TLSA'd servers with a custom root or whatever? Am 12.03.2018 15:57 schrieb "Jörn Heissler" : > On Mon, Mar 12, 2018 at 12:25:14 +, Hugo Landau wrote: > > 1.

Re: [Acme] Certificate chains including roots

2018-03-12 Thread Jörn Heissler
On Mon, Mar 12, 2018 at 12:25:14 +, Hugo Landau wrote: > 1. Clarify the specification to state that the root certificate must > always appear in the chain at the end. Clients should be advised to > pop the root certificate if they are procuring certificate chains > for

[Acme] Certificate chains including roots

2018-03-12 Thread Hugo Landau
The current specification seems a bit ambiguous regarding whether a PEM certificate chain includes the root CA certificate. Most of the time the root CA shouldn't be included in a certificate chain sent by a TLS server. However, there are circumstances in which it is essential; namely, when DANE