On Tue, May 16, 2017 at 2:12 PM, Rob Stradling <rob.stradl...@comodo.com> wrote: > > Regarding AIA->caIssuers, RFC5280 says: > 'Conforming applications that support HTTP or FTP for accessing > certificates MUST be able to accept individual DER encoded > certificates and SHOULD be able to accept "certs-only" CMS messages.' > > Out of interest, which particular clients chase AIA->caIssuers HTTP URLs > but ignore that "SHOULD"? > (I know CryptoAPI has accepted "certs-only" CMS messages since XP, but > I've not checked any other implementations).
Selfishly, Chrome :) Less selfishly, macOS (see tpIssuerCertViaNet, which just creates a TPCertInfo with the response data, aka 'DER-encoded X.509v3 cert') Even the NSS implementation (by way of libpkix's AIA mgr calling CERT_DecodeCertPackage) doesn't "properly" implement the defined bits :) Just enough to get you close enough ;) > What is the advantage of that, given that PKCS#7 involves >> BER, it introduces C/C2/C3, and you're still supplying the same number of >> certs? >> > I don't think there is any notable advantage. > > I asked the question because I thought it would be useful to enumerate the > reasons why "there should not be a non-linear path" rather than just assume > it to be fact. ;-) You mean I can't just spout opinion here without substantiating it? ;) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy