Eddy Nigg wrote, On 2009-03-23 11:20: > On 03/23/2009 08:13 PM, Nelson B Bolyard: >> Perhaps PSM should have a feature, used at cert import time, that discovers >> that the chain is incomplete and offers, at that time, to go and fetch the >> missing certs in the chain via AIA. > > Cold this be a solution which could be applied to Firefox as well in the > error pages? Something like: > > "The certificate appears to be signed by an unknown root. However the > certificate indicates that it's chained to an issuer which is unknown. > Shall Firefox try to fetch the issuer certificate?"
I'd change that last line to this; Click here to bet your career that this cert is genuine and not a forgery. I'd suggest that we also display the URL for the user to see before deciding, but we know that users would click without even looking at it. Because of the security risks AIAs present to relying parties, I see AIA as a way to help Subject parties (the people SENDING the certs), not relying parties (the people receiving and attempting to validate them). -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
