On 16/05/17 15:41, Ryan Sleevi via dev-security-policy wrote: <snip>
The important point in this is that there should not be a non-linear path of trust (which is implied, I think, by the reading of "group of cross-certs"). But yes, there would be a linearized path.
If you *rely* on AIA, then why not set the AIA->caIssuers content to be a PKCS#7 "group of cross-certs" ?
Unquestionably, this means that performance gets worse for sites who support clients that do not support AIA and who serve the extra (potentially unnecessary) chains. This does put a certain pressure on these clients _to_ support AIA, and the performance implications would only become worse the longer the legacy clients exist. However, if/when 'enough' clients support AIA (or automatic updates), the performance costs evaporate. This helps create a virtuous cycle in which site operators are incentivized to support clients that support AIA/automatic updates, and software developers are incentivized to provide clients that support AIA/automatic updates :)
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy