Signed HTTP Exchanges require SSL certificates with the
CanSignHttpExchanges extension. DigiCert is currently the only provider of these certificates. It would be wonderful if support for this extension could be incorporated into Let’s Encrypt certificate generation.
Signed HTTP Exchanges (jump to certificate requirements)
Signed HTTP Exchanges Implementation Checkpoints
Reference implementation of Signed HTTP Exchanges format generator
Google write-up about HTTP Signed Exchanges
DigiCert with CanSignHttpExchanges extension
April 8, 2019, 4:42pm
Welcome to the Let’s Encrypt community forum
I haven’t been following any of this Signed HTTP Exchanges work. Thanks for opening a thread and sharing some context.
I think it’s likely too early in this draft’s development for Let’s Encrypt to prioritize implementation. It looks like it has a ways to go within the IETF before it would be an internet standard.
Beyond the x.509 extension
section 4.2 “Certificate Requirements” mentions:
A conforming CA MUST NOT issue certificates with this extension unless, for each dNSName in the subjectAltName extension of the certificate to be issued:
An “issue” or “issuewild” CAA property (
[RFC6844]) exists that authorizes the CA to issue the certificate; and The “cansignhttpexchanges” parameter (
Section 4.2.1) is present on the property and is equal to “yes”
#2 of this would require development work in Boulder to process the
"cansignhttpexchanges" CAA property that the draft introduces.
A certificate with the CanSignHttpExchanges extension is required to serve AMP using Signed Exchanges:
“As of April 2019, only DigiCert provides this extension.”
Is this something to implement (instead of something like S/MIME!) whilst browser vendors officially consider the spec harmful?
Thanks for providing some context. Many of the comments you’ve shared are outdated though (by over a year). Notably, in the first thread you linked, there is ongoing effort to assuage the standards-positions concerns; see
May 31, 2019, 6:11pm
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.