[TLS] Question about draft-thomson-tls-sic
Watson Ladd <watson@cloudflare.com> Wed, 24 July 2019 00:22 UTC
Return-Path: <watson@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A85412098D for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 17:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7n_e0soeFBZ6 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 17:22:53 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86673120995 for <tls@ietf.org>; Tue, 23 Jul 2019 17:22:53 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id x22so38841683qtp.12 for <tls@ietf.org>; Tue, 23 Jul 2019 17:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=OuhccSSe2aO9ZwoBwmnLLMl3qh4HmECyV3oiUP1use0=; b=eNq0+rYD6w0cfjbACn6YhIvkptOH01sZZmmMmjt7mQHofIeWTgfQufV4NCEaI2tMsi uMwkHMbyFmu6sdSHsNUcGtNWYgxIx55KjvadSXmauhbfDGlwe7/UianOP2YVsoNxRS8L lkmyBxB3GWPTr4UxrO2j5BqN8gOeNnl7by8rM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OuhccSSe2aO9ZwoBwmnLLMl3qh4HmECyV3oiUP1use0=; b=SFOoL7v47Hf7cl9+zJX7qrw/gvlUHtuGWRuMsNyDvtejIqly0aQ7z/dIoec0u6M0uz axHBlW1i4Ekv/ihS5X2tHVGJ3xfXA6TxgDsXrCJ9feDBiC+kz+KKMHm0F7PJ6hZUQA1m 2f26E1DpN0atNTDtpjO9Ggi2QkAvYH6SZOnvE7rbVqbMFc5LZ4C+Z0u+XXoKOfh9+QWB sfYnr0J0HdGURSMGe/qwooOxEkU7WinILE6Ks26qThc8VL9QalmGFqQHgMqUysu5C+O/ NVjxhmKKsIpcZ/FzgCCV1Ww1j9hx5WjwQ0vd5T8jOPsRaG7vV77qfVzvMjH23dHtcVfb NBLg==
X-Gm-Message-State: APjAAAUoKdC1VmaiNfHjT+iDPtV7YAHkULe0fSZK3B81pEzLtoxq7yoq 0jNXBLxNac2GNWMZXgPMtxrpAtLKeVdG3SsCm+nNEghDRdw2mA==
X-Google-Smtp-Source: APXvYqzPRsDfmn4JMcQOIaboB9Snt4pHqHcuGeq7loxk1n7ZrKSEvAVOHZMfqcXviqgL7Wzd++7FqbahzRbmxWd4F9k=
X-Received: by 2002:a0c:c382:: with SMTP id o2mr18918234qvi.75.1563927772511; Tue, 23 Jul 2019 17:22:52 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watson@cloudflare.com>
Date: Tue, 23 Jul 2019 17:22:41 -0700
Message-ID: <CAN2QdAFWKob0D5SMHHyyxgYH5qEm89eudh=_pahn4GVtWTbMQQ@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000056003c058e624f8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KAAKiEki36gL8g40ZimNHk39OXY>
Subject: [TLS] Question about draft-thomson-tls-sic
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 00:22:55 -0000
Suppose the following sequence of events happen: 1: A CA uses a new intermediate for reasons (no longer cross-signing, etc.) 2: A site gets a certificate from the new intermediate. 3: An older firefox version connects and thinks it knows all the certificates in the world. This would seem to break and it wasn't clear to me how this would be handled. Though as Martin points out this extension is merely codification of an occasional practice, so maybe this case does actually work out. Sincerely, Watson Ladd
- [TLS] Question about draft-thomson-tls-sic Watson Ladd
- Re: [TLS] Question about draft-thomson-tls-sic Adam Langley