Authority Information Access extension (AIA) enabling by default ?
Sean Mullan
sean.mullan at oracle.com
Wed Apr 10 13:15:02 UTC 2024
On 4/10/24 3:44 AM, Baesken, Matthias wrote:
> Hello, in sun/security/provider/certpath/Builder.java we check a
> property com.sun.security.enableAIAcaIssuers to set AIA (Authority
> Information Access extension) support :
>
> https://github.com/openjdk/jdk/blob/71c5bbcec7052a8394dd49c0a8c46801adbfcae4/src/java.base/share/classes/sun/security/provider/certpath/Builder.java#L54 <https://github.com/openjdk/jdk/blob/71c5bbcec7052a8394dd49c0a8c46801adbfcae4/src/java.base/share/classes/sun/security/provider/certpath/Builder.java#L54>
>
> /**
>
> * Flag indicating whether support for the caIssuers field of the
>
> * Authority Information Access extension shall be enabled. Currently
>
> * disabled by default for compatibility reasons.
>
> */
>
> static final boolean USE_AIA = GetBooleanAction
>
> .privilegedGetProperty("com.sun.security.enableAIAcaIssuers");
>
> By the default, the AIA support is disabled (but can be enabled by the
> property above) .
>
> Are there some plans/thoughts to enable it by default in the future ?
>
> (and what are the stated compatibility reasons that were mentioned
> manye years ago when the comment was written?
>
> Are they still as valid today as before ?)
The comment is somewhat incorrect as I believe it's more for security
reasons. We don't necessarily want to make an outbound network request
w/o the user or application enabling that by setting a system property.
Plus, AIA fetching of the certificate issuer's certificate occurs
*before* the certificate has been validated (since it requires the CA's
public key to verify the signature on the certificate), so the AIA URL
has not been validated beforehand. That may not introduce any security
issues, but it still makes sense to not enable this by default in my
opinion.
See
https://mailarchive.ietf.org/arch/browse/tls/?gbt=1&index=nYcRUUOXN_urd1ol569DrwfJ20A
for some discussion about this on the IETF PKIX mailing list.
--Sean
>
> Best regards, Matthias
>
More information about the security-dev
mailing list