Re: [TLS] Root certificates in server certificate chains

Kyle Hamilton <aerowolf@gmail.com> Sun, 12 September 2010 21:59 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 910093A684D for <tls@core3.amsl.com>; Sun, 12 Sep 2010 14:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.728
X-Spam-Level:
X-Spam-Status: No, score=-1.728 tagged_above=-999 required=5 tests=[AWL=0.872, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcZt5vMKVKk0 for <tls@core3.amsl.com>; Sun, 12 Sep 2010 14:59:20 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id AE6123A672F for <tls@ietf.org>; Sun, 12 Sep 2010 14:59:20 -0700 (PDT)
Received: by pwi1 with SMTP id 1so2499010pwi.31 for <tls@ietf.org>; Sun, 12 Sep 2010 14:59:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type; bh=AquY+qWdzCMN5/JZIsVf60IT6vPlm2nZFv1qsnrhHyg=; b=nbV9JaZPp0rn2qiI/j0MqjiSOHGNaEKALSSKFuCMY3GjuH/rWnZDCsPg0B+uEzugGy SRY45PdwLGl1kDEF3loEzZJxmN1zfeRfyF8Q0IcLKhgPoeXV2FcImXbfK8TACF6iBEWx FXioRjXmYR7yukWGZKr54408xpGTRnBbSqLCM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; b=S9Nm8/AUDOUku/UoBpJTVEZ+l81r7gWZYT6xa0dM8C9gxpxNqCgbNZLLM2MvrR4swU X8ZGjVkLkoE/TglONId04GteZqH2k2QETCQ4tK6hqxGG/h9vYkS+azBFTyaRADg72Ivw CAJkFw7l9NGML01+F+jsJcvzPqkXRTHspJxY8=
Received: by 10.114.120.17 with SMTP id s17mr787302wac.87.1284328787226; Sun, 12 Sep 2010 14:59:47 -0700 (PDT)
Received: from [192.168.1.105] (c-76-103-146-6.hsd1.ca.comcast.net [76.103.146.6]) by mx.google.com with ESMTPS id s5sm10596600wak.12.2010.09.12.14.59.45 (version=SSLv3 cipher=RC4-MD5); Sun, 12 Sep 2010 14:59:46 -0700 (PDT)
Message-ID: <4C8D4D50.2050603@gmail.com>
Date: Sun, 12 Sep 2010 14:59:44 -0700
From: Kyle Hamilton <aerowolf@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <2eda4b7b6eb5c5a0a61b2caf2c7d97bf.squirrel@webmail.sleevi.com> <1283319223.2175.52.camel@mattlaptop2.local>
In-Reply-To: <1283319223.2175.52.camel@mattlaptop2.local>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010106020203030407060807"
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Sep 2010 21:59:21 -0000

  On 8/31/10 10:33 PM, Matt McCutchen wrote:
> The server's CertificateRequest will contain Root A's distinguished
> name, and the client should use that as the indication of where to stop.
> Again, there is no benefit to sending the actual certificate for Root A.
No benefit except the difference between seeing only a single broken 
certificate in the chain and the proposed certificate chain.

Granted, only a small percentage of the user base will actually *see* 
it... you could call it 'advertising at the cost of about 800 bytes per 
TLS session'.

-Kyle H