[cabfpub] BR Issue 7

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Tue Nov 6 19:25:59 UTC 2012

On Tue, 06 Nov 2012 20:18:15 +0100, Paul Tiemann  
<paul.tiemann.usenet at gmail.com> wrote:

> On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera  
> Software ASA) wrote:
>> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann
>> <paul.tiemann.usenet at gmail.com> wrote:
>>> +1 to what Rob said.
>>> We recently were faced with the question of including AIA:caIssuer in a
>>> sub CA and decided against it because we couldn't identify any benefit.
>>> If a browser client doesn't trust the root that the sub CA came from,
>>> it's not likely to change its mind and begin to trust the root just
>>> because it can more easily locate the file online.
>> The benefit is that users will be able to visit all of your customer's
>> secure web sites even if the web site administrator forgot to include  
>> your
>> intermediate CA certificate when they installed their certificate.
> Sorry about any confusion - I am only referring to AIA:caIssuer in  
> root-issued intermediate certificates.

Those certs does not have to have the AIA URLs, in fact in those cases  
they SHOULD NOT/MUST NOT have it, unless it was also signed by some other  
subordinate CA cert. It may be that my current text does not say that  

Yngve N. Pettersen
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01

More information about the Public mailing list