Re: [TLS] Verifying X.509 Certificate Chains out of order

Martin Rex <Martin.Rex@sap.com> Tue, 07 October 2008 11:43 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B00A3A688B; Tue, 7 Oct 2008 04:43:58 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAEA33A6B4C for <tls@core3.amsl.com>; Tue, 7 Oct 2008 04:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.895
X-Spam-Level:
X-Spam-Status: No, score=-5.895 tagged_above=-999 required=5 tests=[AWL=0.354, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvBzQS+WCVp9 for <tls@core3.amsl.com>; Tue, 7 Oct 2008 04:43:56 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id A9D933A6B02 for <tls@ietf.org>; Tue, 7 Oct 2008 04:43:55 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id m97BhtFF029933; Tue, 7 Oct 2008 13:43:55 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200810071143.m97BhrV7013915@fs4113.wdf.sap.corp>
To: martin.rex@sap.com
Date: Tue, 7 Oct 2008 13:43:53 +0200 (MEST)
In-Reply-To: <200810071109.m97B9vFl011461@fs4113.wdf.sap.corp> from "Martin Rex" at Oct 7, 8 01:09:57 pm
MIME-Version: 1.0
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

Martin Rex wrote:
> 
> Stefan Santesson wrote:
> > 
> > Just agreeing on the principle that implementers should be forced to
> > send the certificates in order but it definitely must be allowed
> > to accept out of order chains.
> 
> I have absolutely no problem with implementations that accept an
> unordered list.

Thinking about it, what exactly do you mean with unordered?

Since there isn't any additional information in the protocol to
identity the end-entity cert in the certificate_list, that certificate
will have to be the first.  Or does your code really apply heuristics
in locating the end entity cert?

In PKCS#7 there is the the signerinfos (issuer&serial) that make the
search in the unordered and only loosely related CertificateAndCertificates
bag at least deterministic (not purely heuristic).

-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls