Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)

["Jim Schaad" <ietf@augustcellars.com>]

If there is only one possible certification path then there is no difference between caching just the EE certificate and caching the entire chain.  However in the event that multiple certificate paths are possible there may be a difference in behavior.  It is possible that you would trust a specific trust anchor (or intermediate CA) to be more specific about getting things correct (sooner or later).  There may be differences in extensions which exist in the intermediate certificates which might lead to slightly different behavior in how the EE certificates are treated.  It is for these reasons that if an explicit mismatch exists then you might be more or less willing to trust the EE certificate based on a specific validation path but not on another validation path.

Jim


> -----Original Message-----
> From: Matt McCutchen [mailto:matt@mattmccutchen.net]
> Sent: Wednesday, September 29, 2010 6:11 PM
> To: Peter Saint-Andre
> Cc: Jim Schaad; 'IETF cert-based identity'
> Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
> 
> On Wed, 2010-09-29 at 16:39 -0600, Peter Saint-Andre wrote:
> > On 9/29/10 4:19 PM, Jim Schaad wrote:
> > > There was one case in the original text here that I was expecting to be
> > > kept.   This was the case of the chain of certificates being changed from
> > > when it was originally presented.  Given the suggestion that the
> > > chain is shown for advanced users (see 4.6.4) I am wondering about
> > > the fact that we are no longer looking at anything more that the
> > > terminal certificate at this point.
> >
> > Yes, that's important.
> 
> What is the benefit of caching the entire certification path?  What attacks does
> it prevent?  Mozilla PSM only caches the end-entity certificate, and if there is a
> problem with that approach, I would like to know about it.
> 
> --
> Matt