On Mon, Feb 13, 2017 at 8:17 AM, Steve Medin via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Getting all user agents with interest is issuance limits to implement the
> CA Issuers form of AIA for dynamic path discovery and educating server
> operators to get out of the practice of static chain installation on
> servers would make CA rollovers fairly fluid and less subject to operator
> error of failing to install the proper intermediate.
Can you explain more to support that statement?
The issue that Gerv is discussing is primarily related to intermediate
issuance; a CA an easily roll over to a new intermediate and provide their
customers a holistic chain that represents a path to a Mozilla root. The
issue you describe - with AIA fetching - is one primarily restricted to
handling _root_ rollover, not _intermediate_ rollover; that is, when you're
constructing an alternative trust path for a set of existing certificates,
rather than, as Gerv raised, ensuring that new certificates come from a
single ('new') trust path once the existing intermediate has been
'exhausted'.
While a strong proponent of AIA, I don't believe your argument here is
relevant, although I'm quite happy to understand what technical criteria
exist that make you believe it would be beneficial to address this specific
problem.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
