Viktor Dukhovni <[email protected]> writes: >I know, but it is my impression that this is rarely enforced, for the simple >reason that most servers have but one chain to offer, and so offer that in >the hope that the client will cope, regardless of what some (perhaps >needlessly strict) text in the specifications was trying to suggest.
I think "rarely enforced" is more like "universally ignored" for the reason you give. What's a server supposed to do with this requirement, put the client on hold while they call their CA and ask them to create a new top-to- bottom cert chain (intermediate CAs and everything) to support whatever fashion statement the client wants to make? The server has a cert chain and the client can either take it or leave it. It's PKI, not a buffet restaurant. Many years ago a friend of mine went to a local restaurant and started ordering steak with some long litany of how he wanted it prepared. The waittress interrupted him and said "look, you can either have steak, or no steak". He chose the steak. In this case you can either connect, or not connect. Guess what, oh, approximately 100% of users will choose? Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
