[cabfpub] BR Issue 7
paul.tiemann.usenet at gmail.com
Tue Nov 6 19:30:13 UTC 2012
On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling
> <rob.stradling at comodo.com> wrote:
>> However, I'm afraid we can't accept the AIA->caIssuers changes in
>> Yngve's motion for the following reasons:
>> 1. As written...
>> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
>> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
>> be downloaded"
>> ...Yngve's motion outlaws Subordinate CA Certificates issued directly by
>> Root Certificates which have not been cross-certified!
> That is not the intention.
> The intention is that if a Sub-ordinate CA certificate was NOT issued by a
> Root, *then* it must have an AIA URL so that the client can (try to) trace
> the chain of the certificate to a Root certificate that it recognizes.
Ah - thanks Yngve, it looks like I missed your intention here earlier.
In practice, I'd still love it to be a "SHOULD" and see AIA:caIssuer populated in EE and non-rooted sub CAs 99% of the time. I can imagine certain big customers will want to push the performance envelope by keeping their certificate as small as possible, and for those cases I want the flexibility.
> Perhaps the confusion can be avoided by specifically saying "a
> Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the
Yes, this may be good. However, leaving it as "SHOULD" also solves the problem without needing the technical language.
More information about the Public