[TLS] Certificate validation can of worms
Watson Ladd <watsonbladd@gmail.com> Sat, 05 April 2014 01:36 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086501A01E1 for <tls@ietfa.amsl.com>; Fri, 4 Apr 2014 18:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mez9zRXRw10d for <tls@ietfa.amsl.com>; Fri, 4 Apr 2014 18:35:57 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9A41A01D4 for <tls@ietf.org>; Fri, 4 Apr 2014 18:35:57 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id a41so3838261yho.4 for <tls@ietf.org>; Fri, 04 Apr 2014 18:35:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=AJXBWkFwQejJZRJ3n2fZjS0laegXCDZj7SLhq6rPP7A=; b=CixrSsjr+J6V83VmPt53k6l7s3W4sD/5vD6xlVGAKniZYW1e0RaHI9luvw0ljARa5m UHPYcmiB6+ui/aA6yWEkRHDXaK62TvKc6HpIHd6QYmsal6t94+UBUlo/+l7N0bk1IGbg 09AD28IfgOV+dwKhaQaF0XwEeba/CS3EOSJvTWvwOtuhXtFe9zE3/9jJy49geiB1zVw6 uO2pvcMDMbcDkSZBF3nNZETEk5bCDELzFtD+tRSz4MZMaU4fBHlxt0plpDLJeGBhhDk9 iBtyBt5q1qmrERVgJLBRUMG6cfHsEkVY/kvt5/DZVYpNo+V/zg0aYJhIueRyfa4Xkxff jUbQ==
MIME-Version: 1.0
X-Received: by 10.236.90.12 with SMTP id d12mr393821yhf.120.1396661752528; Fri, 04 Apr 2014 18:35:52 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Fri, 4 Apr 2014 18:35:52 -0700 (PDT)
Date: Fri, 04 Apr 2014 18:35:52 -0700
Message-ID: <CACsn0ckFoqQ=hwp=Wxjjrt6LavLoKSUCyBCp=TvWvJ3DsuhUsw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2IVuX727QWPTuFiRoMPuB76LwQY
Subject: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2014 01:36:02 -0000
Dear all, https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf contains tests of many TLS implementations. Interestingly all tested implementations contain errors, and all but OpenSSL erroneous accepts. Cryptlib was not tested, because it doesn't validate certificates. At the core of these issues is the complexity of certificate validation. Things for this committee to consider: 1: How will DANE make this worse? 2: Is this really the best we can do? What features of X509 led to these problems? 3: This focused on server authentication. How does client authentication fare? 4: Did this actually cover everything? Sincerely, Watson Ladd
- [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Yan Zhu
- Re: [TLS] Certificate validation can of worms Peter Gutmann
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Kurt Roeckx
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Kemp, David P.
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Rob Stradling
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Nikos Mavrogiannopoulos
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani