On 01/12/2011, at 2:38 AM, Andrew Chi wrote:
>
> 2. AIA correctness. Does res-certs require validators to reject a
> certificate with a messed up AIA URI, even if top-down traversal is ok?
> Having clean AIAs obviously helps bottom-up validators. But validators
> capable of bottom-up traversal must already defend against
> AIA-wild-goose-chase DoS, e.g. by limiting chase depth. Should we encourage
> validators to enforce AIA correctness?
res-certs says that there MUST be an AIA and the text says that it points to
the "publication point of the immediate superior certificate". In the case
where a local TA is being used (and in other conceivable cases) it is possible
for multiple CAs to certify a subject. What the spec does NOT say is that the
AIA must point to the publication point of all such CAs. So it appears to be
within the bounds of the res-cert profile for a certificate hierarchy of the
form
CA A CA B
| |
V V
CA C
Now if the AIA of certificates issued by CA C points to the publication point
of CA A, then if you are performing a validation along the path A to C then
this is NOT "messed up", and things look fine. If you are performing a
validation along the path from B to C then it IS "messed up", and things look
good.
So "messed up" in AIA appears to be a little bit in the eyes of the beholder
rather than an objective condition.
On what grounds would a validator reject certificates issued by CA C in this
example?
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
