Recommend including intermediate certificates in a BIP70 payment request.

[schildbach]

No description provided.

[gavinandresen]

I think the wording needs to express the idea that the certificate chain MUST be complete, up to (but not including) a trusted root certificate. But RFC5280 validation will fail if it is not, so I'm not sure how explicit we really need to be.

[ExperimentsAndIdeas]

The AIA field should tell the client where to fetch the issuer certificate if it's not included. We should recommend that the certificate is always available of HTTP and perhaps Namecoin (or other store).

It may be educational to say that HTTPS storage of a signed parent certificate provides no security value add.

(new to GitHub, not sure if this is where this comment should go. Please advise on the correct location to discuss this)

[schildbach]

@makerofthings7 Keep in mind wallets might not have HTTP(S) access, maybe not even TCP connectivity. IMHO it should be a goal of this spec that the cert chain can always be validated offline.

[ExperimentsAndIdeas]

If offline validation is a goal, and we want to support DANE (self published CA roots in DNS) then the entire chain, including the root should be included.

http://tools.ietf.org/html/rfc6698

@schildbach @gavinandresen

[schildbach]

I changed the wording to:

"This MUST be
followed by additional certificates, with each subsequent certificate
being the one used to certify the previous one, up to (but not
including) a trusted root authority. The trusted root authority MAY be
included."

That allows self-signed CA roots while still suggesting that normally the root cert is not required.

[gavinandresen]

ACK

[schildbach]

@makerofthings7 Are you ok with the current change?

[ExperimentsAndIdeas]

Yes thank you.

[schildbach]

Ping. What's needed to get this merged? (I just rebased on current master)

[schildbach]

Ping! What's needed to get this merged?