An optional MIME parameter for application/pem-certificate-chain? about acme HOT 10 CLOSED

@cpu I've got this vague recollection that when I had to deal with application/pkix-pkipath that a couple developers asked me how many in the path? I believe they were trying to figure out how much memory they would need. Granted this was a while ago so the idea might be moot at this point.

from acme.

I'm not hearing developers asking for this, so I'm inclined to close WONTFIX. This is an easy extension to add in a future document, if it turns out to be needed.

from acme.

I'm +1 for WONTFIX. I think its a fairly narrow use-case and I also haven't heard any requests for it from the ACME client developers I've interacted with.

from acme.

If you mean whether the root certificate should be included as well or not, that can indeed be very useful.

There are uses where the user needs the complete chain from certificate to root, for example to set up an AWS ELB load balancer (see here: "The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate."), and it is needed for ssl_trusted_certificate for OCSP verification in NGINX. Also, they're nice to be able to verify the validity of the provided certificate chain.

On the other hand, most people simply want the certificate with all required intermediates. So being able to indicate whether the root is included in the chain can definitely be useful from my point of view.

from acme.

I was thinking more simply: certs=3. The number would indicate how many certificates are to be expected in the application/pem-certificate-chain. I'd like to think that people aren't using deep paths, but from experience I know they sometimes go a little over board.

from acme.

I think such a simple numeric option would increase the danger of misuse: some client developers (or users, which are faced with this option) might hard-code 2, assuming that there will always only be precisely one intermediate certificate.

from acme.

from acme.

@uhhhh2 For me, yes. I guess the default value would be false, to not break backwards compatibility and since without root is probably the more common case (and existing clients probably don't expect the root)?

from acme.

@felixfontein I can understand that concern. I'm certainly not hard over on including it, I do not think it'll be that hard for clients to figure it out. If you're going to just indicate whether the root is present, maybe just call it "root" ;)

from acme.

@seanturner Can you expand on what problem including a count of certificates would solve from your perspective? I'm not sure I understand the reason this would be favourable.

from acme.