Authority Information Access extension (AIA) enabling by default ?
Baesken, Matthias
matthias.baesken at sap.com
Wed Apr 10 13:48:44 UTC 2024
Hi Sean, thanks for the additional information on the topic .
( I already found a few discussions on the web where this feature/extension was not liked very much. )
Best regards, Matthias
>The comment is somewhat incorrect as I believe it's more for security
>reasons. We don't necessarily want to make an outbound network request
>w/o the user or application enabling that by setting a system property.
>Plus, AIA fetching of the certificate issuer's certificate occurs
>*before* the certificate has been validated (since it requires the CA's
>public key to verify the signature on the certificate), so the AIA URL
>has not been validated beforehand. That may not introduce any security
>issues, but it still makes sense to not enable this by default in my
>opinion.
More information about the security-dev
mailing list