Re: [TLS] Verifying X.509 Certificate Chains out of order
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Sun, 12 October 2008 23:05 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 245FD28C0E7; Sun, 12 Oct 2008 16:05:28 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E0573A6A3D for <tls@core3.amsl.com>; Sun, 12 Oct 2008 16:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.993
X-Spam-Level:
X-Spam-Status: No, score=0.993 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMkGzOqz09Wj for <tls@core3.amsl.com>; Sun, 12 Oct 2008 16:05:25 -0700 (PDT)
Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by core3.amsl.com (Postfix) with ESMTP id 741B33A69EC for <tls@ietf.org>; Sun, 12 Oct 2008 16:05:25 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=fgC81Gt7Rvh9AIYc1DOkD+UFZKHUzRNWz9lR30/q3PrR3J0FGuHil8hjilwniKX+; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [4.227.98.162] (helo=ix.netcom.com) by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1KpA0m-0000fj-26; Sun, 12 Oct 2008 19:06:08 -0400
Message-ID: <48F14BB6.B29CC43C@ix.netcom.com>
Date: Sat, 11 Oct 2008 17:58:30 -0700
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
Organization: IDNS and Spokesman for INEGroup
X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <1223034323.30303.29.camel@localhost> <877i8pk772.fsf@mocca.josefsson.org> <1223281251.12502.74.camel@localhost> <87abdit8c2.fsf_-_@mocca.josefsson.org> <20081006144152.5B9596B57F6@kilo.rtfm.com> <20081006113354.69029a62@cs.columbia.edu> <1b587cab0810121328w21d2ed96n830198b5c63b43e1@mail.gmail.com>
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606880e0da728f9888de6b63ae80da016b7be350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 4.227.98.162
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
Ben and all, I fullu agree with you Ben. I for one am often willing to send what I feel is appropriate wheather or not others believe so or not, as long as it is in context and in keeping with the theme or topic at hand. Ben Laurie wrote: > On Mon, Oct 6, 2008 at 4:33 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > On Mon, 06 Oct 2008 07:41:52 -0700 > > Eric Rescorla <ekr@networkresonance.com> wrote: > > > >> I think there are two separate issues here: > >> > >> (1) Whether implementations should be required to send certificates > >> in a specific order. > >> (2) Whether implementations should generate an error if they are > >> received in another order. > >> > > "Be conservative in what you send; be liberal in what you accept." > > I thought we'd given up on that as a useful generalisation since it > introduces security problems in some circumstances, for example HTTP > header stuffing. Which is not to say I am opposed to this particular > change, but that adage is an entirely insufficient justification. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Verifying X.509 Certificate Chains out of o… Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Rob Dugal
- Re: [TLS] Verifying X.509 Certificate Chains out … Dr Stephen Henson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Steven M. Bellovin
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Mike
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Axel.Heider
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Alexander Klink
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Sylvester
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Sylvester
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Steven M. Bellovin
- [TLS] Antwort: Re: Verifying X.509 Certificate Ch… Axel.Heider
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Ben Laurie
- Re: [TLS] Verifying X.509 Certificate Chains out … Ben Laurie
- Re: [TLS] Verifying X.509 Certificate Chains out … Jeffrey A. Williams
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Yoav Nir
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Alexander Klink