On Sun, Mar 15, 2026 at 10:00:27PM -0700, Aaron Gable wrote: > On Sat, Mar 14, 2026, 09:45 Ilari Liusvaara <[email protected]> > wrote: > > > > > Any client that would be broken by the new field is broken by MTC > > itself anyway. > > > > This is not true: one of the core benefits of the link rel=alternate > proposal is that it will break almost no clients. They'll either ignore the > alternates entirely, or attempt to download it and ignore the failure. > Basically all clients treat alternates as entirely optional until and > unless they've been specifically configured to prefer a specific alternate.
At a minimum, if using link relations, the link relation needs to be labeled properly so the client can handle it correctly. Client that knows about MTC landmarks needs to treat the landmarks differently from alternate standalone certificates. For example, queue the landmarks for later processing, as waiting for landmark in order processing is not an option. Unless one wants bad hacks like assuming that if the main certificate is MTC, then any broken alternate is a MTC landmark. Then the link relation should have an estimate on when the landmark will be available as a parameter, so the client does not need to attempt a futile download just to discover this. > Plenty of ACME clients are not integrated into their corresponding > webserver, and do not care about the contents of the cert they download. As > long as the webserver supports doing handshakes with the MTC cert, the ACME > client could provide it with the standalone cert with zero changes. Looking at RFC 8555, ACME clients are REQUIRED to reject any chain that contains anything except certificates, which is not enough for MTC provisioning. So any standards-compliant ACME client breaks. Then even if the ACME client ignores RFC 8555 requirements, it will only work if X.509 and MTC certificates are installed in the same way. The usual webserver configuration controls in webservers are poor match for MTC, so webservers might end up doing something different with MTC. -Ilari _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
