Do you ever include root certs?

MikeBishop / http2-certs

Enabling client certificate authentication in HTTP/2

3 stars 2 forks source link

Do you ever include root certs? #9

Open MikeBishop opened 8 years ago

MikeBishop commented 8 years ago

From Andrei:

{#http-certificate}: “A certificate which specifies a trust anchor MAY be omitted” – why would one ever want to send the root? The peer can’t use it in any way, and in TLS, it’s been a source of interop issues.

SHOULD? MUST? Though, back to DANE, if DNS says that the cert must chain to a CA that the client doesn’t otherwise trust, wouldn’t the client need to see that cert to validate the signature?

I defer to my TLS brethren on this issue.

martinthomson commented 8 years ago

This is, I think, a complete copy of the TLS language:

Because certificate validation requires that trust anchors be distributed independently, a certificate that specifies a trust anchor MAY be omitted from the chain, provided that supported peers are known to possess any omitted certificates.

The point being that what comprises a "root" can be vague. For example, certification paths can include multiple potential trust anchors.