[cabfpub] BR Issue 7

Yngve Nysaeter Pettersen yngve at opera.com
Wed Nov 7 22:34:58 UTC 2012

On Tue, 06 Nov 2012 19:18:51 +0100, Yngve N. Pettersen (Developer Opera  
Software ASA) <yngve at opera.com> wrote:

> On Tue, 06 Nov 2012 19:01:03 +0100, Paul Tiemann
> <paul.tiemann.usenet at gmail.com> wrote:
>> +1 to what Rob said.
>> We recently were faced with the question of including AIA:caIssuer in a
>> sub CA and decided against it because we couldn't identify any benefit.
>> If a browser client doesn't trust the root that the sub CA came from,
>> it's not likely to change its mind and begin to trust the root just
>> because it can more easily locate the file online.
> The benefit is that users will be able to visit all of your customer's
> secure web sites even if the web site administrator forgot to include  
> your
> intermediate CA certificate when they installed their certificate.

Background information:

I have done a little Quick&Dirty analyzing of the Certificate data  
collected by the TLS Prober this week.

The TLS Prober checked 570800 sites this week.

Of these, 10552 (1.84%) had site certificates that were unexpired, chained  
to a known selfsigned certificate (not necessarily publicly trusted), with  
at least one intermediate CA certificate in the chain, and at the time of  
the scan did not send one or more intermediate CA certificates that were  
needed to verify the chain.

Of those 10552 sites, 619 (5.9% , 0.11%  of total) did not contain an AIA  
URL that would allow completion of the chain (one major involved group of  
SubCA was several Thawte subCAs; I also saw Entrust, ipsCA, RSA,  

Of course, how big the impact of these sites are depends on how frequently  
they are visited, which might not be that often, and might be the reason  
they are not configured correctly

Yngve N. Pettersen
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01

More information about the Public mailing list