|
|
|
|
|
|
by noahm
4895 days ago
|
|
|
"If the browser doesn’t know the intermediate CA, it must look for it and download it." Is that accurate? Where is this behavior specified? RFC 2246 states "If the server is authenticated, its certificate message must provide a valid certificate chain leading to an acceptable certificate authority." No mention of a client doing behind-the-scenes magic to fill in the missing intermediate certs. It's been my understanding that cert validation will simply fail if there are missing intermediate certs, and my experience is that this is the case. However, if there's something I'm missing that would allow a browser to synthesize the cert chain, I'd be interested in reading about it. |
|
|
In practice, there's not a "single" chain for a server. Different clients have different trust anchors, support different signing algorithms, and encounter the same certificates at different times. This has all conspired such that "Every Modern Browser" will, as necessary, examine the AIA extensions presented in the certificates and attempt to construct a valid chain, even if the server supplies an 'invalid' one.
A decent description of the complexity that modern PKI libraries (eg: browsers & OSes) implement can be found at http://social.technet.microsoft.com/wiki/contents/articles/4...