On Tue, May 16, 2017 at 11:00 AM, Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 16/05/17 15:41, Ryan Sleevi via dev-security-policy wrote: > <snip> > >> The important point in this is that there should not be a non-linear path >> of trust (which is implied, I think, by the reading of "group of >> cross-certs"). But yes, there would be a linearized path. >> > > If you *rely* on AIA, then why not set the AIA->caIssuers content to be a > PKCS#7 "group of cross-certs" ? 1) Clients don't widely support PKCS#7 2) LOL PKCS#7 is a tirefire 3) Because that's an added/unnecessarily complexity to the PKI which is pretty detrimental compared to a linearized path. I presume, but perhaps you can clarify, that the 'group of cross-certs' is meant to cover the case where you have roots A, B, C, where A was created a T-6, B at T-3, and C at T0, with an intermediate I issuing leaf L I presume that your goal is that rather than expressing: L -> I -> C -> B -> A That you want to express L -> I -> C -> C2 (via AIA) -> B -> C3 (via AIA) -> A Is that correct? What is the advantage of that, given that PKCS#7 involves BER, it introduces C/C2/C3, and you're still supplying the same number of certs? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy