Re: Taiwan GRCA Root Renewal Request

Mon, 05 Dec 2016 18:07:32 -0800 

On 04/12/2016 06:00, capuchin...@gmail.com wrote:

Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道:


You have made a fundamental technical mistake.

I do not understand that why do you said that we made a fundamental technical 
mistake? As I had participated in drafting RFC 5280, I am sure that our 
implementation fully conforms to RFC 5280 and of course the original ITU-T 
X.509 standards. Do you mean that our conforming to the standards is a 
fundamental mistake? If so, whay there needs standards?



The mistake was to use a part of those standards which is often
problematic in the real world.  For example, according to your
presentation, when IIS builds server certificate chains to send to
clients, it compares only the DN, causing problems when non-AIA-
downloading browsers visit IIS-powered sites with GCA certificates.

It is a technical mistake in believing all software handles multiple
certificates with the same DN, not a legal mistake in reading a
document saying this should be permitted.



Asking for mandatory AIA is a bad solution.


We are noe asking for mandatory AIA implementation. We are here to asking 
Mozilla to include our second generaion self-signed root certificate of Taiwan 
GRCA, whcih conforms to PKIX standard, to the NSS trust list.



Your previous post said:

> Chunghwa Telecom  suggested to make AIA mandatory and browsers must
> support fetching intermediate certificates through AIA. Supporting
> AIA will also reduce some web site administrators forget to install
> intermediate certificates to their server follow CAs or web server’s
> manuals. (In SSL protocol, SSL servers should send intermediate
> certificate & SSL certificate to SSL client)

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy




























					Reply via email to