Recommend including intermediate certificates in a BIP70 payment request. #22

pull schildbach wants to merge 1 commits into bitcoin:master from schildbach:bip70-recommend-intermediate-certs changing 1 files +4 −3
  1. schildbach commented at 11:04 PM on February 28, 2014: contributor

    No description provided.

  2. gavinandresen commented at 11:16 PM on February 28, 2014: contributor

    I think the wording needs to express the idea that the certificate chain MUST be complete, up to (but not including) a trusted root certificate. But RFC5280 validation will fail if it is not, so I'm not sure how explicit we really need to be.

  3. ExperimentsAndIdeas commented at 5:59 AM on March 1, 2014: none

    The AIA field should tell the client where to fetch the issuer certificate if it's not included. We should recommend that the certificate is always available of HTTP and perhaps Namecoin (or other store).

    It may be educational to say that HTTPS storage of a signed parent certificate provides no security value add.

    (new to GitHub, not sure if this is where this comment should go. Please advise on the correct location to discuss this)

  4. schildbach commented at 8:46 AM on March 1, 2014: contributor

    @makerofthings7 Keep in mind wallets might not have HTTP(S) access, maybe not even TCP connectivity. IMHO it should be a goal of this spec that the cert chain can always be validated offline.

  5. ExperimentsAndIdeas commented at 4:15 PM on March 1, 2014: none

    If offline validation is a goal, and we want to support DANE (self published CA roots in DNS) then the entire chain, including the root should be included.

    http://tools.ietf.org/html/rfc6698 @schildbach @gavinandresen

  6. schildbach commented at 12:36 PM on March 5, 2014: contributor

    I changed the wording to:

    "This MUST be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one, up to (but not including) a trusted root authority. The trusted root authority MAY be included."

    That allows self-signed CA roots while still suggesting that normally the root cert is not required.

  7. gavinandresen commented at 5:23 PM on March 18, 2014: contributor

    ACK

  8. schildbach commented at 8:54 PM on March 23, 2014: contributor

    @makerofthings7 Are you ok with the current change?

  9. ExperimentsAndIdeas commented at 9:53 PM on March 23, 2014: none

    Yes thank you.

  10. Require including intermediate certificates in a BIP70 payment request. 4964569a67
  11. schildbach commented at 10:21 AM on April 13, 2014: contributor

    Ping. What's needed to get this merged? (I just rebased on current master)

  12. schildbach commented at 10:36 PM on April 25, 2014: contributor

    Ping! What's needed to get this merged?

  13. gmaxwell referenced this in commit cd2850fa08 on Apr 25, 2014
  14. gmaxwell merged this on Apr 25, 2014
  15. gmaxwell closed this on Apr 25, 2014
  16. schildbach deleted the branch on May 14, 2014
  17. luke-jr referenced this in commit 1a1dc1e70f on Jun 6, 2017
  18. guggero referenced this in commit fbbb9c1da0 on Jun 23, 2022
Contributors
schildbachgavinandresenExperimentsAndIdeas
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 15:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me