On Wed, 4 Dec 2019 17:12:50 -0500 Ryan Sleevi via dev-security-policy <[email protected]> wrote:
> Yes, I am one of the ones who actively disputes the notion that AIA > considered harmful. As not infrequently happens I can't agree with Ryan here. AIA chasing in browsers is a non-trivial privacy leak AND doesn't match how the specification says things work. What I'd like to see, as with OCSP stapling, is for web /servers/ to do the fix-up not browsers. If an operator doesn't take the initiative to provide the server with a complete chain, it should do its own AIA chasing to discern the chain and then provide that chain in the TLS Certificate message. This obeys the specification AND makes the server software easier to administrate AND has few or no privacy implications No new standards development work is needed. Anybody can do this today, but so far as I can tell nobody does. I know Mozilla does outreach to server operators, but does it also do any outreach to server software developers? Is the situation that they've got their fingers in their ears about this, or that we aren't yelling at the right people? Nick. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
