On Mon, 2 Dec 2019 at 20:28, Wayne Thayer <[email protected]> wrote:
> Why not "AIA chasing considered harmful"? The current state of affairs is > that most browsers [other than Firefox] will go and fetch the intermediate > if it's not cached. This manifests itself as sites not working in Firefox, > and users switching to other browsers. > AIA does not prevent single verifications from working, unlike caching. > > You may be further dismayed to learn that Firefox will soon implement > intermediate preloading [1] as a privacy-preserving alternative to AIA > chasing. > If that involves loading and using intermediates that are not actually available via AIA, then yes. > - Wayne > > [1] > https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading#Intermediate_CA_Preloading > > On Thu, Nov 28, 2019 at 1:39 PM Ben Laurie <[email protected]> wrote: > >> >> >> On Thu, 28 Nov 2019 at 20:22, Peter Gutmann <[email protected]> >> wrote: >> >>> Ben Laurie via dev-security-policy < >>> [email protected]> writes: >>> >>> >In short: caching considered harmful. >>> >>> Or "cacheing considered necessary to make things work"? >> >> >> If you happen to visit a bazillion sites a day. >> >> >>> In particular: >>> >>> >caching them and filling in missing ones means that failure to present >>> >correct cert chains is common behaviour. >>> >>> Which came first? Was cacheing a response to broken chains or broken >>> chains a >>> response to cacheing? >>> >>> Just trying to sort out cause and effect. >>> >> >> Pretty sure if broken chains caused browsers to not show pages, then >> there wouldn't be broken chains. >> >> -- >> I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. >> #VerifyAllTheThings. >> >> https://g.co/u58vjr https://g.co/adjusu >> *(Google internal)* >> > -- I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. #VerifyAllTheThings. https://g.co/u58vjr https://g.co/adjusu *(Google internal)* _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
