This repository has been archived by the owner on Apr 24, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 189
Register application/pem-certificate-chain. #276
Merged
Merged
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
1aa1727
Register application/pem-certificate-chain.
jsha 3e9dd8f
Merge branch 'master' into pem-certificate-chain
bifurcation c9e66a2
Add note to RFC editor.
jsha a7d10d8
Merge branch 'master' of https://github.com/ietf-wg-acme/acme into pe…
jsha 6d32518
Merge branch 'pem-certificate-chain' of github.com:jsha/acme into pem…
jsha 8ab7cb3
Merge branch 'master' into pem-certificate-chain
bifurcation File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1474,16 +1474,10 @@ described in {{identifier-authorization}} to complete the authorization process. | |
To download the issued certificate, the client simply sends a GET request to the | ||
certificate URL. | ||
|
||
The default format of the certificate is PEM (application/x-pem-file) as | ||
specified by {{!RFC7468}}. This format should contain the end-entity certificate | ||
first, followed by any intermediate certificates that are needed to build a path | ||
to a trusted root. Servers SHOULD NOT include self-signed trust anchors. The | ||
client may request other formats by including an Accept header in its request. | ||
For example, the client could use the media type `application/pkix-cert` | ||
{{!RFC2585}} to request the end-entity certificate in DER format. | ||
The default format of the certificate is application/pem-certificate-chain (see IANA Considerations). | ||
|
||
The server MAY provide one or more link relation header fields {{RFC5988}} with | ||
relation "alternate". Each such field should express an alternative certificate | ||
relation "alternate". Each such field SHOULD express an alternative certificate | ||
chain starting with the same end-entity certificate. This can be used to express | ||
paths to various trust anchors. Clients can fetch these alternates and use their | ||
own heuristics to decide which is optimal. | ||
|
@@ -1494,8 +1488,7 @@ Host: example.com | |
Accept: application/pkix-cert | ||
|
||
HTTP/1.1 200 OK | ||
Content-Type: application/pkix-cert | ||
Link: <https://example.com/acme/ca-cert>;rel="up";title="issuer" | ||
Content-Type: application/pem-certificate-chain | ||
Link: <https://example.com/acme/some-directory>;rel="index" | ||
|
||
-----BEGIN CERTIFICATE----- | ||
|
@@ -1518,6 +1511,15 @@ server MAY enable the caching of the resource by adding Expires and | |
Cache-Control headers specifying a point in time in the distant future. These | ||
headers have no relation to the certificate's period of validity. | ||
|
||
The ACME client MAY request other formats by including an Accept | ||
header in its request. For example, the client could use the media type | ||
`application/pkix-cert` {{!RFC2585}} to request the end-entity certificate | ||
in DER format. Server support for alternate formats is OPTIONAL. For | ||
formats that can only express a single certificate, the server SHOULD | ||
provide one or more `Link: rel="up"` headers pointing to an issuer or | ||
issuers so that ACME clients can build a certificate chain as defined | ||
in TLS. | ||
|
||
## Identifier Authorization | ||
|
||
The identifier authorization process establishes the authorization of an account | ||
|
@@ -2245,6 +2247,39 @@ identifier possession are determined by the server's local policy. | |
|
||
# IANA Considerations | ||
|
||
## MIME Type: application/pem-certificate-chain | ||
|
||
The "Media Types" registry should be updated with the following additional | ||
value: | ||
|
||
MIME media type name: application | ||
|
||
MIME subtype name: pem-certificate-chain | ||
|
||
Required parameters: None | ||
|
||
Optional parameters: None | ||
|
||
Encoding considerations: None | ||
|
||
Security considerations: Carries a cryptographic certificate | ||
|
||
Interoperability considerations: None | ||
|
||
Published specification: draft-ietf-acme-acme | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should contain a note to the RFC editor to replace the value of the field with |
||
|
||
Applications which use this media type: Any MIME-complaint transport | ||
|
||
Additional information: | ||
|
||
File should contain one or more certificates encoded as PEM according to | ||
RFC 7468. In order to provide easy interoperation with TLS, the first | ||
certificate MUST be an end-entity certificate. Each following certificate | ||
SHOULD directly certify one preceding it. Because certificate validation | ||
requires that trust anchors be distributed independently, a certificate | ||
that specifies a trust anchor MAY be omitted from the chain, provided | ||
that supported peers are known to possess any omitted certificates. | ||
|
||
## Well-Known URI for the HTTP Challenge | ||
|
||
The "Well-Known URIs" registry should be updated with the following additional | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was the idea of removing content negotiation discussed on the list? I'm not seeing it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't remove content negotiation, just moved it lower in the section.