Re: [TLS] Consensus call for certificate URL extension
Martin Rex <Martin.Rex@sap.com> Thu, 25 September 2008 19:54 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77E723A68E7; Thu, 25 Sep 2008 12:54:43 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BC053A68E7 for <tls@core3.amsl.com>; Thu, 25 Sep 2008 12:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.466
X-Spam-Level:
X-Spam-Status: No, score=-5.466 tagged_above=-999 required=5 tests=[AWL=0.483, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQdDAAyuPyp0 for <tls@core3.amsl.com>; Thu, 25 Sep 2008 12:54:38 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 37F483A6884 for <tls@ietf.org>; Thu, 25 Sep 2008 12:54:38 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id m8PJo6Wq019246; Thu, 25 Sep 2008 21:50:06 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200809251950.m8PJo5FA021431@fs4113.wdf.sap.corp>
To: magnus@rsa.com
Date: Thu, 25 Sep 2008 21:50:05 +0200
In-Reply-To: <Pine.WNT.4.64.0809251503200.7968@W-JNISBETTEST-1.tablus.com> from "Magnus Nyström" at Sep 25, 8 03:10:03 pm
MIME-Version: 1.0
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Consensus call for certificate URL extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
=?iso-8859-1?Q?Magnus_Nystr=F6m?= wrote: > > I do not know if this extension still has value or not, but as one of the > authors of the original RFC 3546, I just wanted to provide some background > ... > > This extension came about a long time ago when the WAP Forum (today: Open > Mobile Alliance) was looking at introducing support for TLS in their > architecture. Given bandwidth-constraints in the mobile networks at the > time, it made sense to devise a way for clients to not having to send > their certificates (or chains) but rather have the servers pick them up > somewhere. Clearly, today's networks are more capable. Avoiding XML where it isn't necessary will save magnitudes more than an average SSL client cert (except maybe for CAs that abuse certs as digital junkyards), and SSL session caching will not only save bandwidth, but also computing power, especially on thin clients. The client should not need to send any chain certificates besides its own End-Entity (EE) cert if the CA which signed the clients EE cert has been announced by the server in the certificate_authorities list of the CertificateRequest message. We should have fixed the wording of the TLS specs 1.0/1.1/1.2 in this regard... The certificate_list is originally defined in 7.4.2 in the Server Certificate message--where the server doesn't know anything about the trust anchors known to the client and therefore sending the entire chain is appropriate. The structure is then referenced/reused in 7.4.6. Client Certificate, but it fails to account for the fact that the client has been sent a list of acceptable trust anchors by the Server in the CertificateRequest message and ought therefore be perfectly capable to verify a reduced chain up to one of the announced trust anchors from the certificate_authorities list, not only a full chain up to a self-signed root. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Consensus call for certificate URL extension Joseph Salowey (jsalowey)
- Re: [TLS] Consensus call for certificate URL exte… Yoav Nir
- Re: [TLS] Consensus call for certificate URL exte… Martin Rex
- Re: [TLS] Consensus call for certificate URL exte… Blumenthal, Uri
- Re: [TLS] Consensus call for certificate URL exte… Eric Rescorla
- Re: [TLS] Consensus call for certificate URL exte… Nikos Mavrogiannopoulos
- Re: [TLS] Consensus call for certificate URL exte… Mike
- Re: [TLS] Consensus call for certificate URL exte… Mark Tillinghast
- Re: [TLS] Consensus call for certificate URL exte… Yoav Nir
- Re: [TLS] Consensus call for certificate URL exte… Martin Rex
- Re: [TLS] Consensus call for certificate URL exte… Pasi.Eronen
- Re: [TLS] Consensus call for certificate URL exte… Mohamad Badra
- Re: [TLS] Consensus call for certificate URL exte… Nelson B Bolyard
- Re: [TLS] Consensus call for certificate URL exte… Simon Josefsson
- Re: [TLS] Consensus call for certificate URL exte… Yoav Nir
- Re: [TLS] Consensus call for certificate URL exte… Magnus Nyström
- Re: [TLS] Consensus call for certificate URL exte… Alfred Hönes
- Re: [TLS] Consensus call for certificate URL exte… Martin Rex