On 16/05/17 16:11, Ryan Sleevi via dev-security-policy wrote:
On Tue, May 16, 2017 at 11:00 AM, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 16/05/17 15:41, Ryan Sleevi via dev-security-policy wrote:
<snip>
The important point in this is that there should not be a non-linear path
of trust (which is implied, I think, by the reading of "group of
cross-certs"). But yes, there would be a linearized path.
If you *rely* on AIA, then why not set the AIA->caIssuers content to be a
PKCS#7 "group of cross-certs" ?
1) Clients don't widely support PKCS#7
Regarding AIA->caIssuers, RFC5280 says:
'Conforming applications that support HTTP or FTP for accessing
certificates MUST be able to accept individual DER encoded
certificates and SHOULD be able to accept "certs-only" CMS messages.'
Out of interest, which particular clients chase AIA->caIssuers HTTP URLs
but ignore that "SHOULD"?
(I know CryptoAPI has accepted "certs-only" CMS messages since XP, but
I've not checked any other implementations).
2) LOL PKCS#7 is a tirefire
3) Because that's an added/unnecessarily complexity to the PKI which is
pretty detrimental compared to a linearized path.
Sure, it's certainly added complexity.
I presume, but perhaps you can clarify, that the 'group of cross-certs' is
meant to cover the case where you have roots A, B, C, where A was created a
T-6, B at T-3, and C at T0, with an intermediate I issuing leaf L
I presume that your goal is that rather than expressing:
L -> I -> C -> B -> A
That you want to express
L -> I -> C
-> C2 (via AIA) -> B
-> C3 (via AIA) -> A
> Is that correct?
That's what my question was about, yes.
What is the advantage of that, given that PKCS#7 involves
BER, it introduces C/C2/C3, and you're still supplying the same number of
certs?
I don't think there is any notable advantage.
I asked the question because I thought it would be useful to enumerate
the reasons why "there should not be a non-linear path" rather than just
assume it to be fact. ;-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy