Certification path building for 509 certificates
To this date, is there a specification or a de-facto industry standard or how applications are supposed to perform certification path building in the context of X.509? I am specifically asking about the part of the certification path building process that retrieves all the necessary certificates.
Certification path building is the process by which the certificate processing system obtains the certification path between a trust anchor and the target certificate. RFC 3280
1 is a 2005 informational RFC about the topic but it's not "Standard" nor "Best Current Practice".
Wikipedia mentions that, at least in the early days of 509 certs, a server would send all the required certificates:
[...] The problem is the client does not know where to fetch missing intermediate certificates because the global X.500 directory never materialized.[...] To work around the problem, web servers now send all the intermediate certificates along with the web server's certificate. Wikipedia
Moreover, from online sources, I gathered that applications (e.g. web broswers) are preconfigured with intermediate certificates.
Finally, I came across Authority Information Access (AIA) which seems to be a standard feature a client could use to retrieve missing intermediate certificates. But again, this fetures is not mandatory and I found examples of it sometimes being implemented, sometimes not. Medium article on AIA.
I listed 3 ways to perform Certification Path Building (receive the certs form the server, certs hardcoded in the applicaiton and AIA). But is there a standard?
