Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi

mrex@sap.com (Martin Rex) Tue, 19 May 2015 19:23 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C85F1A882E for <tls@ietfa.amsl.com>; Tue, 19 May 2015 12:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8kNgqozHPro for <tls@ietfa.amsl.com>; Tue, 19 May 2015 12:23:18 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8C61A86EB for <tls@ietf.org>; Tue, 19 May 2015 12:23:18 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 95C692B531; Tue, 19 May 2015 21:23:16 +0200 (CEST)
X-purgate-ID: 152705::1432063396-00000B48-CB21883C/0/0
X-purgate-size: 1092
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 8317F41892; Tue, 19 May 2015 21:23:16 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 74DA91B310; Tue, 19 May 2015 21:23:16 +0200 (CEST)
In-Reply-To: <BLUPR03MB1396B22C6722C0C9CD9376138CC30@BLUPR03MB1396.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Tue, 19 May 2015 21:23:16 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150519192316.74DA91B310@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/769hezqYLNihBcVwM5LOYOs8n2o>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 19:23:20 -0000

Peter Gutmann wrote:
> Dave Garrett <davemgarrett@gmail.com>; writes:
> 
> >Who else is in favor or against, at the moment?
> 
> I'm in favour of relaxing the requirements to match real-world practice.


Andrei Popov wrote:
>
> +1. Since we're not going to change implementations to conform
> to the current strict requirements (because it would have been
> a breaking change), we can as well relax the requirements.


Please do not mess this up *again* -- and clearly sort out where you
see any requirements that you feel are a problem.


The existing text does not place *ANY* requirement on what the client
may accept.  The requirements are exclusively about what the server
is required to send.

Andrei:  Is it possible to make Microsoft SChannel send arbitrary heaps
of certificates in the Server Certificate handshake message?  If yes,
how is it exactly configured what junk in what order gets sent?

Or were you actually thinking about client behaviour -- where the
existing text does not (and never intended to) place any specific
behaviour.


-Martin