Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs,

Martin Rex <> Tue, 02 January 2007 16:31 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1H1mYM-0001ji-CI; Tue, 02 Jan 2007 11:31:54 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1H1mYL-0001jd-5O for; Tue, 02 Jan 2007 11:31:53 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1H1mYJ-0002Wt-Pn for; Tue, 02 Jan 2007 11:31:53 -0500
Received: from (smtpde02) by (out) with ESMTP id RAA17759; Tue, 2 Jan 2007 17:31:45 +0100 (MEZ)
From: Martin Rex <>
Message-Id: <>
Subject: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs,
Date: Tue, 2 Jan 2007 17:31:45 +0100 (MET)
In-Reply-To: <BAY103-DAV32C3E536342FDAC659EB992C40@phx.gbl> from "" at Dec 31, 6 11:58:19 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Errors-To: wrote:
> Concerning 7.4.5. Certificate request
>            "A list of the distinguished names of acceptable certificate
>            authorities. These distinguished names may specify a desired
>            distinguished name for a root CA or for a subordinate CA;
>            thus, this message can be used both to describe known roots
>            and a desired authorization space. If the
>            certificate_authorities list is empty then the client MAY
>            send any certificate of the appropriate
>            ClientCertificateType, unless there is some external
>            arrangement to the contrary."
> So, what does this all really mean,
> just staying within the traditional PKI world?

This is *NOT* about PKI.
It is about X.509 certificates and certificate chains.

It means that the client should search his credentials and see
whether there is a match between one of the CAs from that list
of the Server and the issuer field of the certificate of
the clients credentials (itself, or of (one) of its chain(s)).

If there's at least one match, the client can use that credentials
for client authentication, including the certification path up
to at least the matching CA from the servers list.

X.509 certs must be DER-encoded, and there MUST be a binary/opaque
match of the CA name sent by the server with the issuer name in
the clients (end-entity or path) certificate, therefore all
the DNames in that list must be DER-encoded (or will likely not
match issuer names - except for broken CAs issuing defective certs
with non-DER encoded issuer names).


TLS mailing list