[cabfpub] BR Issue 7
sleevi at google.com
Tue Nov 6 18:39:12 UTC 2012
On Tue, Nov 6, 2012 at 10:07 AM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> I agree it doesn't help security. Adding caIssuers allows a browser to recover from a web server that fails to send the intermediate, and successfully build a chain. The server might even neglect to send the intermediate to save bytes on the wire, if it assumed that most clients had it cached.
Sure. But I don't believe that's a good enough justification to
require (MUST include) it.
> The issue (as I think I've heard it from Gerv) is that browsers like Firefox that don't try to download the caIssuers cert to form a chain end up displaying an error that the server cert isn't trusted, although when the user tries a browser like IE that does respect caIssuers, the server cert is trusted. So end users blame Firefox. I guess Firefox doesn't cache and reuse the intermediate if it's seen it before.
There are other ways available to CAs to address this issue without
needing to have the CA/B Forum address it through normative
requirements. For example, I'm aware that some CAs have gone to
schedule "follow-up calls" where they contact the SSL server of the
client and performing various configuration checks, helping
proactively inform them of configuration issues. It's not clear to me
that caIssuers needs to be strictly required as the only way /
mandatory way to address this problem.
More information about the Public