Re: [TLS] Update spec to match current practices for certificate chain order

"Ryan Sleevi" <> Fri, 08 May 2015 21:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2E5811A0052 for <>; Fri, 8 May 2015 14:10:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kvxjwtLuz5dG for <>; Fri, 8 May 2015 14:10:22 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1F8951A002A for <>; Fri, 8 May 2015 14:10:21 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id E308726408B; Fri, 8 May 2015 14:10:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s=; bh=wkIPUusqAjj3N8jJ2B7Clr8WPVU=; b=USDtR+3ygI+RfbCdv rfWG+jWZVoa2Kf+i+i92GzSe/toM0ho7JXwxkKqT1NUhYy3j8qMgqFTcyi/3yEro +Kz1+Uyi9auJ8E9wRCBm+xYd5WtSOeoOeGi8PvwTX2xaeJYGxX6c06iQpU3Q8CpL ma7cekEEV+mJ0GfzCW1kDztjD0=
Received: from ( []) (Authenticated sender: by (Postfix) with ESMTPA id DFA1E2640B4; Fri, 8 May 2015 14:10:18 -0700 (PDT)
Received: from (SquirrelMail authenticated user by with HTTP; Fri, 8 May 2015 14:10:19 -0700
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Fri, 8 May 2015 14:10:19 -0700
From: "Ryan Sleevi" <>
To: "Dave Garrett" <>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Update spec to match current practices for certificate chain order
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 May 2015 21:10:29 -0000

On Fri, May 8, 2015 8:29 am, Dave Garrett wrote:
>  Let me be clear: I don't fundamentally disagree with you.

While I have great respect for Martin, I do disagree and think he's
fundamentally wrong here, for the reasons I already explained in my first
message as to why what he's asking is not only *wrong*, but *unwise* and
an unnecessary coupling of two intentionally-independent layers.

> Do you
>  think we could compel every browser vendor to apply this (effectively) new
>  standard uniformly, and make the changes all at the same time?

As I said elsewhere, requiring ordering might be something browsers do in
the future, but it's fundamentally coupling two things which are
explicitly decoupled (and better off so)

>  I don't,
>  especially not from the TLS spec. Vendors can't even drop critically
>  insecure protocols in unison. I don't even have confidence that everyone
>  could coordinate a token change of coloring in the UI for this one narrow
>  case.

And of course, coloring is the unquestionably wrong answer here from a
usability study. It's not so much a bikeshed discussion as demonstrably
bad for users and homeopathic cybersecurity :)

> > I believe that one of the causes why the problem exists at all
> > is a lack of sensible PKI credential management on the server side.
>  Likely true, but outside of the current scope of action.

The only way in which this protocol could have worked as described is in
an X.500 world that no one should reasonably/sanely want. Outside of that,
we're talking about tradeoffs and compromise, and those are both sensible
and necessary, so I agree wholeheartedly here :)