@filippo @icing I should say, it really is important to me that this work for things like curl. There's more stuff we need to fill into the spec right now, but we'll have a really hard time moving to this if you can't *at least* slot the basic standalone cert + only checking for CA signature behavior into all the Web-adjacent places today.

(I also hope we can broader transparency enforcement than today and the broad deployment of the optimization, but as you say, I'm sure not every install will be able to do everything.)

@icing @filippo Indeed. Like I said, this design does not need the blob to function. We did think of this. 🙂 The standalone certificates work, as the name says, standalone. They are comparable in size to what you'd have gotten if we hadn't done anything at all.

It would be great if upki lets many curl installs get the optimization. But if some curl installs cannot (just as some Chrome installs cannot), it is still fine.

@icing @filippo No, that's still not right. The optimization does not rely on per-site state. It relies on site-independent information that you get from your update service, just like CRLsets/CRLite/upki. (Indeed we've been the one trying to hold the line at that *because* it's a better privacy story.)

And if you don't get that update, for whatever reason, the standalone certificates work just fine. Servers are expected to have both. (Even in browsers, we cannot assume 100% of all clients are up-to-date with component updates.)