Why not "AIA chasing considered harmful"? The current state of affairs is that most browsers [other than Firefox] will go and fetch the intermediate if it's not cached. This manifests itself as sites not working in Firefox, and users switching to other browsers.
You may be further dismayed to learn that Firefox will soon implement intermediate preloading [1] as a privacy-preserving alternative to AIA chasing. - Wayne [1] https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading#Intermediate_CA_Preloading On Thu, Nov 28, 2019 at 1:39 PM Ben Laurie <b...@google.com> wrote: > > > On Thu, 28 Nov 2019 at 20:22, Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: > >> Ben Laurie via dev-security-policy <dev-security-policy@lists.mozilla.org> >> writes: >> >> >In short: caching considered harmful. >> >> Or "cacheing considered necessary to make things work"? > > > If you happen to visit a bazillion sites a day. > > >> In particular: >> >> >caching them and filling in missing ones means that failure to present >> >correct cert chains is common behaviour. >> >> Which came first? Was cacheing a response to broken chains or broken >> chains a >> response to cacheing? >> >> Just trying to sort out cause and effect. >> > > Pretty sure if broken chains caused browsers to not show pages, then there > wouldn't be broken chains. > > -- > I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. > #VerifyAllTheThings. > > https://g.co/u58vjr https://g.co/adjusu > *(Google internal)* > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy