Re: [TLS] Update spec to match current practices for certificate chain order

Dave Garrett <> Fri, 08 May 2015 21:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A13711A19F0 for <>; Fri, 8 May 2015 14:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wp5jWs66Z6Pj for <>; Fri, 8 May 2015 14:34:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 334471A0A6A for <>; Fri, 8 May 2015 14:34:50 -0700 (PDT)
Received: by qgdy78 with SMTP id y78so42984535qgd.0 for <>; Fri, 08 May 2015 14:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=keoi3ONH5e/NENsBD7J16cDYsJeDTLqXqMHWqUKYl4w=; b=uNJ4gA6JNJTdKUdmxvPO/IZJWa5a0pciC0xs4hwna7a1A2WpATmy9Zz+8mnpHeguVR WEdUowHP7OdD3ojF0Rc8U5TE7CCLyx409lEZYFewtwAgDlgtRk2U/sfZAaMY6tgw511a AvwPzCWyIMFDOx9mIjyjmt4tzBnS2RELuwd7SUf0HYY6JKXQ+CZt525nmdgOd0A8w+5R DShph4IqbLKSVJPt5FbcMQptze5YRh8SbwdOdi8Q3rhRHhxutBDqZpl8ZnvMvpdNQ8tT puGuc9E/12Q9nY2qxIkpXwchkAsI9Fw8ax9l/jK+8EowcqGXy7ikaYnknILSKEDDq+7M Ar+Q==
X-Received: by with SMTP id s66mr58840qge.1.1431120889327; Fri, 08 May 2015 14:34:49 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id f131sm4446564qhc.47.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 08 May 2015 14:34:48 -0700 (PDT)
From: Dave Garrett <>
Date: Fri, 8 May 2015 17:34:47 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-73-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [TLS] Update spec to match current practices for certificate chain order
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 May 2015 21:34:51 -0000

On Friday, May 08, 2015 05:10:19 pm Ryan Sleevi wrote:
> On Fri, May 8, 2015 8:29 am, Dave Garrett wrote:
> >  Let me be clear: I don't fundamentally disagree with you.
> While I have great respect for Martin, I do disagree and think he's
> fundamentally wrong here, for the reasons I already explained in my first
> message as to why what he's asking is not only *wrong*, but *unwise* and
> an unnecessary coupling of two intentionally-independent layers.

This is a two decade old set of security standards. If you want any strict
separation of layers, you're going to need to start from scratch. (which we're
hopefully doing soon with something QUIC based) Anything other than
acknowledging this current situation as a mess and doing what you can
where you can (e.g. HPKP) is not really practical.

Wise as it may be to try to keep things decoupled, it's not the current reality.

> And of course, coloring is the unquestionably wrong answer here from a
> usability study.

It's wrong just from a biological perspective, seeing how colorblindness of
various forms is not uncommon.