On Fri, Mar 13, 2026 at 04:02:00PM +0800, David Benjamin wrote: > > I'd certainly lean towards smaller changes over big ones. That seems > generally easier for folks to adopt. There seems to be a pretty good > analogy to the existing alternate chains thing.
However, even if change looks small, it can still be very hard to adopt due to increased complexity. > Different paths to the same leaf certificate are acceptable to different > relying parties, depending on what they trust, but ultimately describe the > same issuance event. Similarly, standalone and landmark certificates > ultimately describe the same issuance event (thus one order), but different > relying parties will accept different of these. And then the trust anchor > IDs machinery replaces the heuristics with something well-defined. > > The only new thing is that one alternate takes some time to become > available, hence the Retry-After idea. (Not necessarily the only or best > way to spell this, but that was some of the thinking behind this particular > idea. Aaron posted a more complete list of other options. This one feels > the most natural to me.) Alternate becoming available later is one of those changes that look small, but have major complexity impact. And that is not the only new thing. With alternates, the client chooses only one, with this it uses both. -Ilari _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
