On Mon, Feb 13, 2017 at 8:17 AM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Getting all user agents with interest is issuance limits to implement the > CA Issuers form of AIA for dynamic path discovery and educating server > operators to get out of the practice of static chain installation on > servers would make CA rollovers fairly fluid and less subject to operator > error of failing to install the proper intermediate. Can you explain more to support that statement? The issue that Gerv is discussing is primarily related to intermediate issuance; a CA an easily roll over to a new intermediate and provide their customers a holistic chain that represents a path to a Mozilla root. The issue you describe - with AIA fetching - is one primarily restricted to handling _root_ rollover, not _intermediate_ rollover; that is, when you're constructing an alternative trust path for a set of existing certificates, rather than, as Gerv raised, ensuring that new certificates come from a single ('new') trust path once the existing intermediate has been 'exhausted'. While a strong proponent of AIA, I don't believe your argument here is relevant, although I'm quite happy to understand what technical criteria exist that make you believe it would be beneficial to address this specific problem. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy