[cabfpub] BR Issue 7

Ryan Hurst ryan.hurst at globalsign.com
Tue Nov 6 19:20:39 UTC 2012

There is even value in the root issued intermediates as there are often
updated versions of roots published, inclusion of the pointer in root issued
intermediates makes it possible for the most recent version of the
certificate to always be discoverable.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Paul Tiemann
Sent: Tuesday, November 06, 2012 11:18 AM
To: Yngve N. Pettersen (Developer Opera Software ASA)
Cc: public at cabforum.org
Subject: Re: [cabfpub] BR Issue 7

On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera Software
ASA) wrote:

> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann 
> <paul.tiemann.usenet at gmail.com> wrote:
>> +1 to what Rob said.
>> We recently were faced with the question of including AIA:caIssuer in a  
>> sub CA and decided against it because we couldn't identify any benefit.

>> If a browser client doesn't trust the root that the sub CA came from, 
>> it's not likely to change its mind and begin to trust the root just 
>> because it can more easily locate the file online.
> The benefit is that users will be able to visit all of your customer's 
> secure web sites even if the web site administrator forgot to include 
> your intermediate CA certificate when they installed their certificate.

Sorry about any confusion - I am only referring to AIA:caIssuer in
root-issued intermediate certificates.  

It makes much more sense to include it in End Entity certificates, though I
believe a SHOULD would be more appropriate than a MUST for EE certificates
as well.

Public mailing list
Public at cabforum.org

More information about the Public mailing list