On 03/14/2018 02:52 PM, Martin Thomson wrote: > On Wed, Mar 14, 2018 at 9:23 PM, Jacob Hoffman-Andrews <[email protected]> wrote: >> On 03/12/2018 05:25 AM, Hugo Landau wrote: >>> 3. Clarify the specification to state that the root certificate must >>> not appear in the chain, and that roots must be retrieved using the >>> AIA URL inside the final certificate in the chain if it is needed. >>> This minimises the chance of clients for non-DANE applications >>> messing up and provides a viable method for discovery of the root >>> CA for applications which need it. >> This seems fine to me. > MUST NOT is too strong. Advise against it in the same way that TLS > does. Even point to TLS. Good point, I'd missed that the above could be normative language. I agree we shouldn't be more restrictive than TLS on this issue.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
