Re: Requirements for Secondary Certificates (#522)

On Tue, Apr 10, 2018 at 03:11:15PM -0400, Ryan Sleevi wrote:
> On Tue, Apr 10, 2018 at 2:42 PM, Ilari Liusvaara <>
> wrote:
> > > One proposal is to define a new OID and require it to be on any
> > > certificates that servers present as Secondary.  This poses
> > > substantial deployment problems.
> >
> > Yeah, that is going to have deployment problems.
> >
> I'd like to understand more about these deployment problems. It seems these
> are based on assumption of long-lived certificates and the difficulty of
> obtaining new certificates. However, a number of CDNs and large providers
> are using automated APIs for their issuance and renewal, and a number of
> CAs offer automated APIs for end-users, including, notably, Let's Encrypt.

The thing I am concerned about is one able to get suitable certificate
at all, or if it requires some nasty (unscalable) "special request" (which,
e.g., Let's Encrypt never does).


Received on Tuesday, 10 April 2018 19:38:00 UTC