[cabfpub] BR Issue 7
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Tue Nov 6 19:25:59 UTC 2012
On Tue, 06 Nov 2012 20:18:15 +0100, Paul Tiemann
<paul.tiemann.usenet at gmail.com> wrote:
> On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera
> Software ASA) wrote:
>
>> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann
>> <paul.tiemann.usenet at gmail.com> wrote:
>>
>>> +1 to what Rob said.
>>>
>>> We recently were faced with the question of including AIA:caIssuer in a
>>> sub CA and decided against it because we couldn't identify any benefit.
>>> If a browser client doesn't trust the root that the sub CA came from,
>>> it's not likely to change its mind and begin to trust the root just
>>> because it can more easily locate the file online.
>>
>> The benefit is that users will be able to visit all of your customer's
>> secure web sites even if the web site administrator forgot to include
>> your
>> intermediate CA certificate when they installed their certificate.
>
> Sorry about any confusion - I am only referring to AIA:caIssuer in
> root-issued intermediate certificates.
Those certs does not have to have the AIA URLs, in fact in those cases
they SHOULD NOT/MUST NOT have it, unless it was also signed by some other
subordinate CA cert. It may be that my current text does not say that
clearly.
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 96 90 41 51 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list