In theory TLS path-building could be addressed by server-admins.
Unfortunately practice shows that users (RPs) of third-party PKIs do not get informed by CAs when it is time to install a new immediate CA certificate because the brand (root) have expanded their issuing-customer base or when a single CA adds a new immediate CA for performance/migration reasons.
Due to that some issuers have reverted to putting the entire path (possibly minus the root) into their cards to not get problems with non-MSIE users. This method is outside of FIPS201 and the Federal Certificate profile which says AIA is a MUST (in the certs).
There are commercial trust networks that would need 30+ certificates to be output.
IMO, AIA is required in both ends because there is nothing in the TLS spec that requires you to provide the complete path in any end. Using AIA Ca Issuers, only roots and EE certs are exchanged on the wire.
Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
