Re: [FORGED] Re: Configuring Graduated Trust for Non-Browser Consumption

Tue, 16 May 2017 11:13:17 -0700 

On 16/05/17 16:11, Ryan Sleevi via dev-security-policy wrote:

On Tue, May 16, 2017 at 11:00 AM, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


On 16/05/17 15:41, Ryan Sleevi via dev-security-policy wrote:
<snip>


The important point in this is that there should not be a non-linear path
of trust (which is implied, I think, by the reading of "group of
cross-certs"). But yes, there would be a linearized path.



If you *rely* on AIA, then why not set the AIA->caIssuers content to be a
PKCS#7 "group of cross-certs" ?



1) Clients don't widely support PKCS#7


Regarding AIA->caIssuers, RFC5280 says:
  'Conforming applications that support HTTP or FTP for accessing
   certificates MUST be able to accept individual DER encoded
   certificates and SHOULD be able to accept "certs-only" CMS messages.'
Out of interest, which particular clients chase AIA->caIssuers HTTP URLs but ignore that "SHOULD"? (I know CryptoAPI has accepted "certs-only" CMS messages since XP, but I've not checked any other implementations). 


2) LOL PKCS#7 is a tirefire
3) Because that's an added/unnecessarily complexity to the PKI which is
pretty detrimental compared to a linearized path.


Sure, it's certainly added complexity.


I presume, but perhaps you can clarify, that the 'group of cross-certs' is
meant to cover the case where you have roots A, B, C, where A was created a
T-6, B at T-3, and C at T0, with an intermediate I issuing leaf L

I presume that your goal is that rather than expressing:
L -> I -> C -> B -> A

That you want to express

L -> I -> C
          -> C2 (via AIA) -> B
          -> C3 (via AIA) -> A
> Is that correct?


That's what my question was about, yes.


What is the advantage of that, given that PKCS#7 involves
BER, it introduces C/C2/C3, and you're still supplying the same number of
certs?

I don't think there is any notable advantage.
I asked the question because I thought it would be useful to enumerate the reasons why "there should not be a non-linear path" rather than just assume it to be fact. ;-) 

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to