On 03/12/2018 05:25 AM, Hugo Landau wrote: > 3. Clarify the specification to state that the root certificate must > not appear in the chain, and that roots must be retrieved using the > AIA URL inside the final certificate in the chain if it is needed. > This minimises the chance of clients for non-DANE applications > messing up and provides a viable method for discovery of the root > CA for applications which need it. This seems fine to me.
To push a little more on why it's required, though: In DANE, you might indicate a trust anchor in your records. Presumably that trust anchor could be either a self-signed root, or an intermediate issuer certificate, right? The reason to prefer putting a root in DNS rather than an issuer is generally that the root won't change as often, right? But if you're automating DANE updates based on the returned certificate chain, why not just use the issuer, and update the trust anchor record every time a new certificate is issued? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
