On Mon, Jan 5, 2009 at 8:14 PM, Paul Hoffman <phoff...@proper.com> wrote: >>As far as I know, the AIA only applies to the end entity certificate, and not >>to any children certificates. Do you have any evidence in any standard that >>this is not the case ? >> > >From RFC3280 : >> >>4.2.2.1 Authority Information Access >> >> The authority information access extension indicates how to access CA >> information and services for the issuer of the certificate in which >> the extension appears. >> >>In other words, if you examine the AIA of an intermediate certificate, you >>will access the services of the intermediate's issuer (perhaps the root). You >>would not be able to use the OCSP responder to check the EE certificate's >>revocation status. > > My reading of RFC 5280 (the successor to RFC 3280, but it's almost identical > here) is that an AIA can tell you the OCSP responder for a particular CA or > RA. The OCSP responder is definitive for any certs signed by the CA/RA. In > the case of a rogue RA, the OCSP responder for the CA can revoke the rogue RA > because the rogue RA is "signed" by the CA. > > Is there part of 3280/5280 that you see that disagrees with this? This is a > serious question: I could be way off on this.
The certificate which is forged can point to a completely different AIA than would otherwise be expected. The processing rules for this state that you check the certificate, not the parent (under the assumption that certificates could never be forged). -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
