Eddy Nigg (StartCom Ltd.) wrote: > Nelson Bolyard wrote: >> Yes, there is a standard for certs that allows (but does not require) >> "relying parties" to go search on the internet for missing >> intermediate CA certs. > Do you have the quote from the corresponding RFC for this?
It's RFC 3280 section 4.2.2.1, Authority Information Access Too big to quote here. >> But that standard does NOT relieve SSL servers of the obligation to >> send their entire server cert chains > Correct. Later, Eddy wrote: > If there is such a standard which suggests it as an option, than I think > Mozilla should implement it.... We're working on it. Now up to 60,000 lines of new code for it, and still growing. This feature is actually necessary in "bridge CA" (a.k.a. "Cross certified CA" infrastructures, which are now beginning to emerge, mostly in Asia. Earlier, Eddy wrote: > At our CA, we have a robot checking for missing ICA certificates....and > send an appropriate message to the subscriber... And by "the subscriber", Eddy means the web site administrator who acquired the cert for his server. Eddy, that's brilliant. It's a service that adds tremendous value for your subscribers and all their users/customers. I wish more CAs did that. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
