On Tue, May 16, 2017 at 11:00 AM, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 16/05/17 15:41, Ryan Sleevi via dev-security-policy wrote:
> <snip>
>
>> The important point in this is that there should not be a non-linear path
>> of trust (which is implied, I think, by the reading of "group of
>> cross-certs"). But yes, there would be a linearized path.
>>
>
> If you *rely* on AIA, then why not set the AIA->caIssuers content to be a
> PKCS#7 "group of cross-certs" ?
1) Clients don't widely support PKCS#7
2) LOL PKCS#7 is a tirefire
3) Because that's an added/unnecessarily complexity to the PKI which is
pretty detrimental compared to a linearized path.
I presume, but perhaps you can clarify, that the 'group of cross-certs' is
meant to cover the case where you have roots A, B, C, where A was created a
T-6, B at T-3, and C at T0, with an intermediate I issuing leaf L
I presume that your goal is that rather than expressing:
L -> I -> C -> B -> A
That you want to express
L -> I -> C
-> C2 (via AIA) -> B
-> C3 (via AIA) -> A
Is that correct? What is the advantage of that, given that PKCS#7 involves
BER, it introduces C/C2/C3, and you're still supplying the same number of
certs?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
