On 19/07/17 04:42, Andrew Ayer wrote:
<snip>
To be clear, are you proposing a requirement that the chain always
contain a certificate with the issuer's public key, even if the logged
certificate is a trust anchor? This would be a new requirement, as
6962-bis currently allows a non-self-signed trust anchor to be logged
without a chain containing its issuer.
How about we revert to the RFC6962 requirement that only self-signed
certificates may be trust anchors?
It would still be possible for an "intermediate CA" to be a trust
anchor, since there's nothing to stop an "intermediate CA" from also
self-certifying itself.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
