https://bugzilla.wikimedia.org/show_bug.cgi?id=35709
Jeremy Baron <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected], | |[email protected] Component|SSL related |Git/Gerrit --- Comment #5 from Jeremy Baron <[email protected]> 2012-04-11 02:38:33 UTC --- (In reply to comment #4) > 1) To achieve the change as envisioned by submitter - > "SSLCertificateChainFile" > option should be used, not "SSLCACertificateFile". This is a good thing so > probably Gerrit change #4334 could be amended and not reverted. I'm not certain it's a good thing and I still think it should be reverted. I don't care so much for the case of gerrit but in general (and certainly for a higher usage domain like a content wiki; note the same root CA is used for both bugzilla.wikimedia.org and www.wikimedia.org and probably others) I think we probably should not serve the root CA cert in a cert chain unless we actually expect it to make a difference for a client. (so, either because the CA told us to or because someone found a UA that behaves differently whether or not we serve the root cert in a chain) The only reason I know of for a widely accepted root CA cert to also be an intermediate cert signed by some other root CA is if it's a new cert that wants to get into browsers earlier than it would otherwise. (or to get in retroactively for an already released or frozen root store) That is a state that a root would be in only at the beginning of it's life cycle; it won't get to be an intermediate later after already being an accepted root. This particular root seems to have been first generated in 1998. I'm no expert on PKI genealogy or SSL / TLS service configuration or protocols. However, my guess is that in all cases where serving a chain would make a difference for conforming clients, the issuing CA would instruct the new cert holder to serve a chain and would provide copies of all the intermediate CA certs to be served. We could ask Equifax explicitly (or I could myself) but I doubt this root doubles as an intermediary for a modern (last ~8 years?) store that doesn't also store it directly. (that's mostly a guess but I did do some quick and dirty [[WP:OR]] that makes me think it's been in mozilla's store either >10 yrs or at least >9.8 yrs) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
