Someone really should write up "AIA chasing considered harmful".  It was
disputed at the TLS session at IETF 105, which shows that the reasoning
behind it is not as widely understood as it needs to be, even among TLS
experts.

I'm very appreciative of Firefox's efforts in this area.  Leveraging the
knowledge of all the publicly disclosed ICAs to improve chain-building is an
idea whose time has come.

-Tim

> -----Original Message-----
> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org>
On
> Behalf Of Wayne Thayer via dev-security-policy
> Sent: Monday, December 2, 2019 3:29 PM
> To: Ben Laurie <b...@google.com>
> Cc: mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>;
> Peter Gutmann <pgut...@cs.auckland.ac.nz>
> Subject: Re: [FORGED] Re: How Certificates are Verified by Firefox
> 
> Why not "AIA chasing considered harmful"? The current state of affairs is
that
> most browsers [other than Firefox] will go and fetch the intermediate if
it's not
> cached. This manifests itself as sites not working in Firefox, and users
switching
> to other browsers.
> 
> You may be further dismayed to learn that Firefox will soon implement
> intermediate preloading [1] as a privacy-preserving alternative to AIA
chasing.
> 
> - Wayne
> 
> [1]
>
https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading
> #Intermediate_CA_Preloading
> 
> On Thu, Nov 28, 2019 at 1:39 PM Ben Laurie <b...@google.com> wrote:
> 
> >
> >
> > On Thu, 28 Nov 2019 at 20:22, Peter Gutmann
> > <pgut...@cs.auckland.ac.nz>
> > wrote:
> >
> >> Ben Laurie via dev-security-policy
> >> <dev-security-policy@lists.mozilla.org>
> >> writes:
> >>
> >> >In short: caching considered harmful.
> >>
> >> Or "cacheing considered necessary to make things work"?
> >
> >
> > If you happen to visit a bazillion sites a day.
> >
> >
> >> In particular:
> >>
> >> >caching them and filling in missing ones means that failure to
> >> >present correct cert chains is common behaviour.
> >>
> >> Which came first?  Was cacheing a response to broken chains or broken
> >> chains a response to cacheing?
> >>
> >> Just trying to sort out cause and effect.
> >>
> >
> > Pretty sure if broken chains caused browsers to not show pages, then
> > there wouldn't be broken chains.
> >
> > --
> > I am hiring! Formal methods, UX, SWE ... verified s/w and h/w.
> > #VerifyAllTheThings.
> >
> > https://g.co/u58vjr https://g.co/adjusu *(Google internal)*
> >
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to