On Tue, Apr 10, 2018 at 03:11:15PM -0400, Ryan Sleevi wrote: > On Tue, Apr 10, 2018 at 2:42 PM, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > > One proposal is to define a new OID and require it to be on any > > > certificates that servers present as Secondary. This poses > > > substantial deployment problems. > > > > Yeah, that is going to have deployment problems. > > > > I'd like to understand more about these deployment problems. It seems these > are based on assumption of long-lived certificates and the difficulty of > obtaining new certificates. However, a number of CDNs and large providers > are using automated APIs for their issuance and renewal, and a number of > CAs offer automated APIs for end-users, including, notably, Let's Encrypt. The thing I am concerned about is one able to get suitable certificate at all, or if it requires some nasty (unscalable) "special request" (which, e.g., Let's Encrypt never does). -IlariReceived on Tuesday, 10 April 2018 19:38:00 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC