Hello, There can be a few different view:
a) weakens security, because lazy administrators, who don't install the intermediate. At my worplace, we always try to tell IT people install it. b) strengthens security because the browser fills the gaps with the AIA url, not the enduser clicks on some alarm without reading. c) for personal (for authentication or form signing) certificates, its hard to give a good way to import the full chain, at the import of a personal certificate, this can be useful And finaly do not forget, that these problems are also applicable for the Thunderbird too, because there are a lot of SSL certificates, which are used for mail servers. I think this behaviour should be copied, but maybe a popup accept it window, or managing this behaviour from config needed to control it, if somebody want it to control. üdvözlettel/best regards: Varga Viktor Netlock Kft. Üzemeltetési Vezető IT Service Executive -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+varga.viktor=netlock...@lists.mozilla.org] On Behalf Of Kathleen Wilson Sent: Wednesday, July 30, 2014 9:17 PM To: [email protected] Subject: Dynamic Path Resolution in AIA CA Issuers On 7/28/14, 11:00 AM, Brian Smith wrote: > I suggest that, instead of including the cross-signing certificates in > the NSS certificate database, the mozilla::pkix code should be changed > to look up those certificates when attempting to find them through NSS > fails. That way, Firefox and other products that use NSS will have a > lot more flexibility in how they handle the compatibility logic. There's already a bug for fetching missing intermediates: https://bugzilla.mozilla.org/show_bug.cgi?id=399324 I think it would help with removal of roots (the remaining 1024-bit roots, non-BR-complaint roots, SHA1 roots, retired roots, etc.), and IE has been supporting this capability for a long time. So, Should we do this? Does it introduce security concerns? Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________________________________ Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________ _______________________________________________________________________ Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
