Closed Bug 542674 Opened 14 years ago Closed 13 years ago

Support downloading Intermediate CA certificates by following URLs within an AIA/CAIssuers extension

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 399324

People

(Reporter: Bill.Burns, Unassigned)

References

(Depends on 2 open bugs)

Details

(Keywords: privacy, Whiteboard: [psm-cert-manager] [parity-IE] [libpkix-switch]) 

Refer to thread in https://bugzilla.mozilla.org/show_bug.cgi?id=390835

Am proposing that this feature be enabled by default. Apparently this already is an experimental feature within FF/NSS.

Benefits:
- Feature parity with IE
- Make PKI slightly easier for sysadmins to deploy, which will
- Help end users experience less SSL-related errors when admins fail to install the required SSL intermediate CA certificates.
This concept disturbs me.  A Web server administrator who does not understand the need to install intermediate certificates might also not understand other aspects of Internet security.  After all, the mere presence of an SSL certificate does not prevent hacking, software bugs that display sensitive information on unsecured Web pages, or the loss of backup media.  When I go to a secure Web site, I want some assurance that the administrator is indeed paying attention to what is needed for security, at least that the server has indeed been configured correctly.  

If this RFE is implemented, it means that convenience for naive users -- and ignorant Web server administrators -- outweighs a concern for security.  In that case, I request a user-oriented option to turn off this capability.
Assignee: kaie → nobody
Whiteboard: [psm-cert-manager]
AFAICT, libpkix supports this. When we switch to libpkix for all cert chain validation, we need to decide if we want this feature, which is good for IE parity but bad for privacy.
Depends on: psm-pkix
Keywords: privacy
Whiteboard: [psm-cert-manager] → [psm-cert-manager] [parity-IE] [libpkix-switch]
Adding to the benefits bill listed in the description, this change will also allow FF/NSS to better support bridged PKI environments where there are multiple chains to different trust anchors possible. The web server cannot be configured correctly for this because the server does not know which trust anchors the client will accept and therefore does not know which chain to send.

This bug looks like a duplicate of bug 399324.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.