W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Re: Requirements for Secondary Certificates (#522)

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Tue, 10 Apr 2018 22:37:27 +0300
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Mike Bishop <mbishop@evequefou.be>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20180410193727.GA9911@LK-Perkele-VII>
On Tue, Apr 10, 2018 at 03:11:15PM -0400, Ryan Sleevi wrote:
> On Tue, Apr 10, 2018 at 2:42 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > > One proposal is to define a new OID and require it to be on any
> > > certificates that servers present as Secondary.  This poses
> > > substantial deployment problems.
> >
> > Yeah, that is going to have deployment problems.
> >
> 
> I'd like to understand more about these deployment problems. It seems these
> are based on assumption of long-lived certificates and the difficulty of
> obtaining new certificates. However, a number of CDNs and large providers
> are using automated APIs for their issuance and renewal, and a number of
> CAs offer automated APIs for end-users, including, notably, Let's Encrypt.

The thing I am concerned about is one able to get suitable certificate
at all, or if it requires some nasty (unscalable) "special request" (which,
e.g., Let's Encrypt never does).


-Ilari
Received on Tuesday, 10 April 2018 19:38:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:20 UTC