If there is only one possible certification path then there is no difference between caching just the EE certificate and caching the entire chain. However in the event that multiple certificate paths are possible there may be a difference in behavior. It is possible that you would trust a specific trust anchor (or intermediate CA) to be more specific about getting things correct (sooner or later). There may be differences in extensions which exist in the intermediate certificates which might lead to slightly different behavior in how the EE certificates are treated. It is for these reasons that if an explicit mismatch exists then you might be more or less willing to trust the EE certificate based on a specific validation path but not on another validation path.
Jim > -----Original Message----- > From: Matt McCutchen [mailto:[email protected]] > Sent: Wednesday, September 29, 2010 6:11 PM > To: Peter Saint-Andre > Cc: Jim Schaad; 'IETF cert-based identity' > Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling) > > On Wed, 2010-09-29 at 16:39 -0600, Peter Saint-Andre wrote: > > On 9/29/10 4:19 PM, Jim Schaad wrote: > > > There was one case in the original text here that I was expecting to be > > > kept. This was the case of the chain of certificates being changed from > > > when it was originally presented. Given the suggestion that the > > > chain is shown for advanced users (see 4.6.4) I am wondering about > > > the fact that we are no longer looking at anything more that the > > > terminal certificate at this point. > > > > Yes, that's important. > > What is the benefit of caching the entire certification path? What attacks > does > it prevent? Mozilla PSM only caches the end-entity certificate, and if there > is a > problem with that approach, I would like to know about it. > > -- > Matt _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
