[cabfpub] BR Issue 7
Paul Tiemann
paul.tiemann.usenet at gmail.com
Tue Nov 6 19:18:15 UTC 2012
On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann
> <paul.tiemann.usenet at gmail.com> wrote:
>
>> +1 to what Rob said.
>>
>> We recently were faced with the question of including AIA:caIssuer in a
>> sub CA and decided against it because we couldn't identify any benefit.
>> If a browser client doesn't trust the root that the sub CA came from,
>> it's not likely to change its mind and begin to trust the root just
>> because it can more easily locate the file online.
>
> The benefit is that users will be able to visit all of your customer's
> secure web sites even if the web site administrator forgot to include your
> intermediate CA certificate when they installed their certificate.
Sorry about any confusion - I am only referring to AIA:caIssuer in root-issued intermediate certificates.
It makes much more sense to include it in End Entity certificates, though I believe a SHOULD would be more appropriate than a MUST for EE certificates as well.
Cheers,
Paul
More information about the Public
mailing list