Current status

Gary E. Miller gem at rellim.com
Wed Feb 13 21:47:30 UTC 2019 

Yo Hal!

On Wed, 13 Feb 2019 13:27:09 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> That's sufficiently complicated that I'm not going to think about it
> now.  If somebody thinks it is interesting enough, they should put it
> on the list. Maybe an issue, but Eric likes to delete those rather
> then use them for tracking long term issues.

Sad.  Long term plans are good.

> > A lot of users are simply incapable of making their own cert chain.
> > Fancy deployments need to many chains to make them practical.  
> 
> You need one chain per cert.

Uh, no.  At least not if you are following the spec.  Note that some
LE certs can use multiple chains for one cert.

> I was expecting the chain to replace
> the cert so the bookkeeping wouldn't be any more complicated.

What bookeeping?  Don't you just ask OpenSSL to check things?

> If I get a cert from $BIGCERTCO, what do they give me?

A plain cert file, and then tell you where to get the intermediate
certs.

>  Does the cert
> need intermediate certs or is the cert that certifies my new cert
> part of the normal root cert collection.

Both are possible.

> If it needs intermediate cert(s), do they give me two files or one?

Both are possible.  LE gives you a full chain file and just the public
file.  More common is just the public key file as you likely already
have the intermediate already in your cert store, or you get it from
their website.

> > What is a "chain TLS client"?  
> 
> A typo.

A typo for what?

> The API I'm using  is that I give OpenSSL/server one file containing
> a cert and whatever other certs it needs to get to the root certs
> that the OpenSSL/client will be using.  One file seems simpler for
> everybody than two.

Except for the people that only have two.  Pretty trivial for your
code to concatenate the two and pass that to OpenSSL.

> I'm calling that "cert and other certs" a chain.

Except that is not the definition of a cert full chain file.

Please don't make up new terms for long standing, well settled, concepts.

> If two files is what people want/use, we can add that.  It looks like
> ugly code, but I think I have found the API.

Ugly?  Open two files, concatenate, pass to OpenSSL.

>  Again, I'm putting it
> on the back burner.  If it's important, somebody should put it on the
> list.

That one I'm confident will just keep insisting to be done.  Way to
common, and important, to be swept under the rug.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190213/9911114f/attachment.bin>

More information about the devel mailing list