An optional MIME parameter for application/pem-certificate-chain? #435
Comments
|
If you mean whether the root certificate should be included as well or not, that can indeed be very useful. There are uses where the user needs the complete chain from certificate to root, for example to set up an AWS ELB load balancer (see here: "The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate."), and it is needed for ssl_trusted_certificate for OCSP verification in NGINX. Also, they're nice to be able to verify the validity of the provided certificate chain. On the other hand, most people simply want the certificate with all required intermediates. So being able to indicate whether the root is included in the chain can definitely be useful from my point of view. |
|
I was thinking more simply: certs=3. The number would indicate how many certificates are to be expected in the application/pem-certificate-chain. I'd like to think that people aren't using deep paths, but from experience I know they sometimes go a little over board. |
|
I think such a simple numeric option would increase the danger of misuse: some client developers (or users, which are faced with this option) might hard-code 2, assuming that there will always only be precisely one intermediate certificate. |
|
Would a boolean option (tentatively named "includeroot") work?
Sincerely,
Logan Widick
…On Thu, Aug 9, 2018, 07:49 Felix Fontein ***@***.***> wrote:
I think such a simple numeric option would increase the danger of misuse:
some client developers (or users, which are faced with this option) might
hard-code 2, assuming that there will always only be precisely one
intermediate certificate.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#435 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB8udtcxjz7oMN6zO7AnLCQYYaN8W6dSks5uPC_dgaJpZM4V0_d7>
.
|
|
@uhhhh2 For me, yes. I guess the default value would be |
|
@felixfontein I can understand that concern. I'm certainly not hard over on including it, I do not think it'll be that hard for clients to figure it out. If you're going to just indicate whether the root is present, maybe just call it "root" ;) |
|
@seanturner Can you expand on what problem including a count of certificates would solve from your perspective? I'm not sure I understand the reason this would be favourable. |
|
@cpu I've got this vague recollection that when I had to deal with application/pkix-pkipath that a couple developers asked me how many in the path? I believe they were trying to figure out how much memory they would need. Granted this was a while ago so the idea might be moot at this point. |
|
I'm not hearing developers asking for this, so I'm inclined to close WONTFIX. This is an easy extension to add in a future document, if it turns out to be needed. |
|
I'm +1 for WONTFIX. I think its a fairly narrow use-case and I also haven't heard any requests for it from the ACME client developers I've interacted with. |
Was there any thought put into included an optional parameter in application/pem-certificate-chain that indicates how many certificates are included? If not, would it be useful?
The text was updated successfully, but these errors were encountered: