Hacker News new | comments | show | ask | jobs | submit login

The Authority Info Access extension ( http://tools.ietf.org/html/rfc3280#section- ) can contain caIssuers field that point to URIs from which the issuer certificate may be downloaded.

In practice, there's not a "single" chain for a server. Different clients have different trust anchors, support different signing algorithms, and encounter the same certificates at different times. This has all conspired such that "Every Modern Browser" will, as necessary, examine the AIA extensions presented in the certificates and attempt to construct a valid chain, even if the server supplies an 'invalid' one.

A decent description of the complexity that modern PKI libraries (eg: browsers & OSes) implement can be found at http://social.technet.microsoft.com/wiki/contents/articles/4...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact