- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Tue, 10 Apr 2018 22:37:27 +0300
- To: Ryan Sleevi <ryan-ietf@sleevi.com>
- Cc: Mike Bishop <mbishop@evequefou.be>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Apr 10, 2018 at 03:11:15PM -0400, Ryan Sleevi wrote: > On Tue, Apr 10, 2018 at 2:42 PM, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > > One proposal is to define a new OID and require it to be on any > > > certificates that servers present as Secondary. This poses > > > substantial deployment problems. > > > > Yeah, that is going to have deployment problems. > > > > I'd like to understand more about these deployment problems. It seems these > are based on assumption of long-lived certificates and the difficulty of > obtaining new certificates. However, a number of CDNs and large providers > are using automated APIs for their issuance and renewal, and a number of > CAs offer automated APIs for end-users, including, notably, Let's Encrypt. The thing I am concerned about is one able to get suitable certificate at all, or if it requires some nasty (unscalable) "special request" (which, e.g., Let's Encrypt never does). -Ilari
Received on Tuesday, 10 April 2018 19:38:00 UTC