Comments (10)
@cpu I've got this vague recollection that when I had to deal with application/pkix-pkipath that a couple developers asked me how many in the path? I believe they were trying to figure out how much memory they would need. Granted this was a while ago so the idea might be moot at this point.
from acme.
I'm not hearing developers asking for this, so I'm inclined to close WONTFIX. This is an easy extension to add in a future document, if it turns out to be needed.
from acme.
I'm +1 for WONTFIX. I think its a fairly narrow use-case and I also haven't heard any requests for it from the ACME client developers I've interacted with.
from acme.
If you mean whether the root certificate should be included as well or not, that can indeed be very useful.
There are uses where the user needs the complete chain from certificate to root, for example to set up an AWS ELB load balancer (see here: "The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate."), and it is needed for ssl_trusted_certificate for OCSP verification in NGINX. Also, they're nice to be able to verify the validity of the provided certificate chain.
On the other hand, most people simply want the certificate with all required intermediates. So being able to indicate whether the root is included in the chain can definitely be useful from my point of view.
from acme.
I was thinking more simply: certs=3. The number would indicate how many certificates are to be expected in the application/pem-certificate-chain. I'd like to think that people aren't using deep paths, but from experience I know they sometimes go a little over board.
from acme.
I think such a simple numeric option would increase the danger of misuse: some client developers (or users, which are faced with this option) might hard-code 2, assuming that there will always only be precisely one intermediate certificate.
from acme.
from acme.
@uhhhh2 For me, yes. I guess the default value would be false
, to not break backwards compatibility and since without root is probably the more common case (and existing clients probably don't expect the root)?
from acme.
@felixfontein I can understand that concern. I'm certainly not hard over on including it, I do not think it'll be that hard for clients to figure it out. If you're going to just indicate whether the root is present, maybe just call it "root" ;)
from acme.
@seanturner Can you expand on what problem including a count of certificates would solve from your perspective? I'm not sure I understand the reason this would be favourable.
from acme.
Related Issues (20)
- xml2rfc broken HOT 6
- "xn--" (two dashes) is converted to "xnā" (EN DASH, unicode U+2013) HOT 1
- authz status possible values incorrect
- dns-02: dynamic challenge request: TXT <$token>._acme-challenge.domain.tld HOT 2
- Confusion around section 7.5.1 HOT 2
- Remove status on challenge objects
- Wording in Introduction HOT 1
- Order of identifiers and authorizations in new-order is not specified HOT 2
- HTTP validation with 301 HOT 8
- Make "URL" more descriptive HOT 1
- Good reference for Access-Control-Allow-Origin? HOT 2
- error for failed revocation request? HOT 6
- the DNS challenge should ONT only use any hostname start with underscore HOT 1
- 11.4 Malformed Certificate Chains - Clarification needed HOT 4
- Make the HTTP Challenge require a response MIME type HOT 6
- Reparacion de calentadores
- cm-fundao
- v100.shatel.ir HOT 1
- Wildcard DNS and the DNS-01 challenge HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme.