> I would like to see answers to the following questions:
> - Does the WG agree that certificate chains should be sent and validated
> as described for "approach A" ?
> - Is there anyone who would prefer "approach B" over "approach A"?
> Please send your comments, even if you have commented on this issue before.
> Again, it is much easier for me to evaluate responses to a specific binary
> question than to try to interpret past messages.
This topic was about making sure that it is possible for
certificate chain validation to happen. Back in April I
performed a consensus call on what I called "Approach A".
This approach requires that if one side sends all the certs
needed to construct a valid path (excluding the root), then
the receiving side MUST be capable of doing the validation.
It also requires that both client and KDC be capable of
sending the complete set of certs, if the right set of certs
is provided through configuration or policy.
Brian, Sam, Larry, and I all prefer approach A.
Nico and Love both are equally happy with approach A or B.
I was unable to find any comments from anyone else.
So that means we had around 5 responses to the consensus call,
all positive or neutral. That, combined with my previous
comments on expiration of consensus calls, leads me to believe
that there is in fact consensus to go ahead with approach A.
I note that PKINIT-26 already reflects this approach, so I
will close ticket #842 without further comment.