On Monday, 13 February 2017 22:40:45 UTC, Steve Medin wrote: > With de facto use of AIA, there is no issuer installation on the server that > could be improper. Proper is defined at the moment, either by cache or > discovery hints.
Much as I should like ubiquitous ambient Internet to be a ground truth, the reality is that clients connecting to a TLS server today don't necessarily have access in order to resolve URLs baked into AIA. Indeed in many cases (including for products sold by your own company, Symantec) the whole reason the client is talking to this particular server is in order to get access _to_ the Internet. As a result, and indeed exactly as we see today in the wild, trying to "paper over" this gap from the client cannot work reliably. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
