Ben,
Whoops, you're right. I missed the reference because I searched for AIA.
So, an EV or DV subscriber cert must contain this extension, although
5280 does not mandate it, and even though no browser is required to be
able to process it (since it's not CRITICAL).
I will revise the text for 3.3 to reflect this.
Steve
On 25 March 2016 at 14:44, Stephen Kent <[email protected]
<mailto:[email protected]>> wrote:
As I noted above, there is no requirement (in 5280 or in CABF
profiles) that a cert
contain an AIA extension.
This appears to be incorrect. Section 7.1.3.2c of
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.3.pdf
says:
"c. authorityInformationAccess
With the exception of stapling, which is noted below, this extension
MUST be present. It MUST NOT be marked critical, and it MUST contain
the HTTP URL of the Issuing CA’s OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the
Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2). . The
HTTP URL of the Issuing CA’s OCSP responder MAY be omitted provided
that the Subscriber “staples” OCSP responses for the Certificate in
its TLS handshakes [RFC4366]."
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
