Eddy, Eddy Nigg wrote: > > Julien, can we assume that by trying to construct a valid chain up to a > trusted root - even by fetching intermediate CAs via the AIA CA Issuer > extension - doesn't present a risk we can not take? During this > discussion I've found that only a very minimal privacy concern exists - > if at all. I'd very much like to see the arguments against the > implementation of fetching intermediate CA certificates declared null > and void. At least to the extend which would allow us for such an > implementation.
I'm only saying it's safe to try to decode anything you have in memory within the application with one of the NSS ASN.1 decoders, and it doesn't present a risk to the integrity risk of the rest of the process. Issues of privacy related to downloads having been performed are separate. I must say that I haven't been following that part of the discussion closely enough to have an opinion on that topic. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
