On 03/12/2011, at 8:46 AM, Geoff Huston wrote: > > On 01/12/2011, at 2:38 AM, Andrew Chi wrote: > >> >> 2. AIA correctness. Does res-certs require validators to reject a >> certificate with a messed up AIA URI, even if top-down traversal is ok? >> Having clean AIAs obviously helps bottom-up validators. But validators >> capable of bottom-up traversal must already defend against >> AIA-wild-goose-chase DoS, e.g. by limiting chase depth. Should we encourage >> validators to enforce AIA correctness? > > res-certs says that there MUST be an AIA and the text says that it points to > the "publication point of the immediate superior certificate". In the case > where a local TA is being used (and in other conceivable cases) it is > possible for multiple CAs to certify a subject. What the spec does NOT say is > that the AIA must point to the publication point of all such CAs. So it > appears to be within the bounds of the res-cert profile for a certificate > hierarchy of the form > > CA A CA B > | | > V V > CA C > > Now if the AIA of certificates issued by CA C points to the publication point > of CA A, then if you are performing a validation along the path A to C then > this is NOT "messed up", and things look fine. If you are performing a > validation along the path from B to C then it IS "messed up", and things look > good. >
things _do not_ look good :-) sorry! > So "messed up" in AIA appears to be a little bit in the eyes of the beholder > rather than an objective condition. > > On what grounds would a validator reject certificates issued by CA C in this > example? > > regards, > > Geoff > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr -- Geoff Huston Chief Scientist, APNIC +61 7 3858 3100 [email protected] _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
