[cabfpub] BR Issue 7
Yngve Nysaeter Pettersen
yngve at opera.com
Wed Nov 7 15:34:58 MST 2012
On Tue, 06 Nov 2012 19:18:51 +0100, Yngve N. Pettersen (Developer Opera
Software ASA) <yngve at opera.com> wrote:
> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann
> <paul.tiemann.usenet at gmail.com> wrote:
>
>> +1 to what Rob said.
>>
>> We recently were faced with the question of including AIA:caIssuer in a
>> sub CA and decided against it because we couldn't identify any benefit.
>> If a browser client doesn't trust the root that the sub CA came from,
>> it's not likely to change its mind and begin to trust the root just
>> because it can more easily locate the file online.
>
> The benefit is that users will be able to visit all of your customer's
> secure web sites even if the web site administrator forgot to include
> your
> intermediate CA certificate when they installed their certificate.
Background information:
I have done a little Quick&Dirty analyzing of the Certificate data
collected by the TLS Prober this week.
The TLS Prober checked 570800 sites this week.
Of these, 10552 (1.84%) had site certificates that were unexpired, chained
to a known selfsigned certificate (not necessarily publicly trusted), with
at least one intermediate CA certificate in the chain, and at the time of
the scan did not send one or more intermediate CA certificates that were
needed to verify the chain.
Of those 10552 sites, 619 (5.9% , 0.11% of total) did not contain an AIA
URL that would allow completion of the chain (one major involved group of
SubCA was several Thawte subCAs; I also saw Entrust, ipsCA, RSA,
Globalsign)
Of course, how big the impact of these sites are depends on how frequently
they are visited, which might not be that often, and might be the reason
they are not configured correctly
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 96 90 41 51 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list