Someone really should write up "AIA chasing considered harmful". It was disputed at the TLS session at IETF 105, which shows that the reasoning behind it is not as widely understood as it needs to be, even among TLS experts.
I'm very appreciative of Firefox's efforts in this area. Leveraging the knowledge of all the publicly disclosed ICAs to improve chain-building is an idea whose time has come. -Tim > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Wayne Thayer via dev-security-policy > Sent: Monday, December 2, 2019 3:29 PM > To: Ben Laurie <b...@google.com> > Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>; > Peter Gutmann <pgut...@cs.auckland.ac.nz> > Subject: Re: [FORGED] Re: How Certificates are Verified by Firefox > > Why not "AIA chasing considered harmful"? The current state of affairs is that > most browsers [other than Firefox] will go and fetch the intermediate if it's not > cached. This manifests itself as sites not working in Firefox, and users switching > to other browsers. > > You may be further dismayed to learn that Firefox will soon implement > intermediate preloading  as a privacy-preserving alternative to AIA chasing. > > - Wayne > >  > https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading > #Intermediate_CA_Preloading > > On Thu, Nov 28, 2019 at 1:39 PM Ben Laurie <b...@google.com> wrote: > > > > > > > On Thu, 28 Nov 2019 at 20:22, Peter Gutmann > > <pgut...@cs.auckland.ac.nz> > > wrote: > > > >> Ben Laurie via dev-security-policy > >> <email@example.com> > >> writes: > >> > >> >In short: caching considered harmful. > >> > >> Or "cacheing considered necessary to make things work"? > > > > > > If you happen to visit a bazillion sites a day. > > > > > >> In particular: > >> > >> >caching them and filling in missing ones means that failure to > >> >present correct cert chains is common behaviour. > >> > >> Which came first? Was cacheing a response to broken chains or broken > >> chains a response to cacheing? > >> > >> Just trying to sort out cause and effect. > >> > > > > Pretty sure if broken chains caused browsers to not show pages, then > > there wouldn't be broken chains. > > > > -- > > I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. > > #VerifyAllTheThings. > > > > https://g.co/u58vjr https://g.co/adjusu *(Google internal)* > > > _______________________________________________ > dev-security-policy mailing list > firstname.lastname@example.org > https://lists.mozilla.org/listinfo/dev-security-policy
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy