- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Fri, 18 Sep 2015 21:33:47 +0300
- To: "henry.story@bblfish.net" <henry.story@bblfish.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Sep 18, 2015 at 07:11:20PM +0100, henry.story@bblfish.net wrote: > > You mean: don't send the certificate, link to it on the web? > Then you are close to WebID-TLS > http://www.w3.org/2005/Incubator/webid/spec/ > WebID-TLS only published the public key, but one could > also publish the full certificate. ( people had suggested > that before, but we were waiting for larger use cases to > consider it ) No, I meant sending the certificate chain. But if the equivalent to the certificate chain is just a single raw public key, one could stick it to headers (but I suppose for implementability reasons one would not do that). > The advanage following that pattern is you put the certificate > anywhere you like, not just in .well-known. Which causes all the security issues from retretiving URLs. And also, most of the users probably won't have any place to stick the cert to. -Ilari
Received on Friday, 18 September 2015 18:34:13 UTC