Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 01 October 2010 18:01 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id D61ED3A6D0D for <certid@core3.amsl.com>;
Fri, 1 Oct 2010 11:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.14
X-Spam-Level:
X-Spam-Status: No, score=-102.14 tagged_above=-999 required=5 tests=[AWL=0.125,
BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBuhru4KJQN9 for
<certid@core3.amsl.com>; Fri, 1 Oct 2010 11:01:12 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com
[69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id B94783A6C38 for
<certid@ietf.org>; Fri, 1 Oct 2010 11:01:12 -0700 (PDT)
Received: (qmail 400 invoked by uid 0); 1 Oct 2010 18:02:01 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy1.bluehost.com with SMTP; 1 Oct 2010 18:02:01 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=gduV/sfFRCeeEttwW7uPAvJTfV8bJtT7VL5jzmei398b8tMn/Rd+5rtoQBEM15LWEeBZqosUdCjGZK/Q0yF9kp44idEmF/R8XAfecqIBqjzlvathMulr0dJizwoW/u65;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1P1jvk-0003if-Rh for
certid@ietf.org; Fri, 01 Oct 2010 12:02:00 -0600
Message-ID: <4CA62216.3070508@KingsMountain.com>
Date: Fri, 01 Oct 2010 11:01:58 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 18:01:13 -0000
Jim Schaad replied: > Martin Rex replied: >> Jim Schaad wrote: >> > >> > If there is only one possible certification path then there is no >> > difference between caching just the EE certificate and caching the >> > entire chain. However in the event that multiple certificate paths >> > are possible there may be a difference in behavior. >> >> Nope, not for what is specified in server-id-check. >> >> At most, the client would have to memorize along with the server cert >> whether regular certificate path validation worked for this cached cert. >> Any changes to the path (above the server cert) will either make the cert >> path validation fail or be security-irrelevant--entirely without caching >> and comparing chain certs above the cached/pinned server cert. > > There is no need to remember that path validation has passed or failed - by > definition it has passed or you would never even get here. The document > does not "permit" the case of using a certificate if path validation has > failed. Agreed. Perhaps we could make this more clear in sections "1.3. Applicability" and "1.4.2. Out of Scope". =JeffH
- [certid] section 4.6 rewrite (aka: Bad certificat… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre