[cabfpub] BR Issue 7

Paul Tiemann paul.tiemann.usenet at gmail.com
Tue Nov 6 19:18:15 UTC 2012

On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote:

> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann  
> <paul.tiemann.usenet at gmail.com> wrote:
>> +1 to what Rob said.
>> We recently were faced with the question of including AIA:caIssuer in a  
>> sub CA and decided against it because we couldn't identify any benefit.   
>> If a browser client doesn't trust the root that the sub CA came from,  
>> it's not likely to change its mind and begin to trust the root just  
>> because it can more easily locate the file online.
> The benefit is that users will be able to visit all of your customer's  
> secure web sites even if the web site administrator forgot to include your  
> intermediate CA certificate when they installed their certificate.

Sorry about any confusion - I am only referring to AIA:caIssuer in root-issued intermediate certificates.  

It makes much more sense to include it in End Entity certificates, though I believe a SHOULD would be more appropriate than a MUST for EE certificates as well.


More information about the Public mailing list