Re: [TLS] Verifying X.509 Certificate Chains out of order

"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Sun, 12 October 2008 23:05 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 245FD28C0E7; Sun, 12 Oct 2008 16:05:28 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E0573A6A3D for <tls@core3.amsl.com>; Sun, 12 Oct 2008 16:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.993
X-Spam-Level:
X-Spam-Status: No, score=0.993 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMkGzOqz09Wj for <tls@core3.amsl.com>; Sun, 12 Oct 2008 16:05:25 -0700 (PDT)
Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by core3.amsl.com (Postfix) with ESMTP id 741B33A69EC for <tls@ietf.org>; Sun, 12 Oct 2008 16:05:25 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=fgC81Gt7Rvh9AIYc1DOkD+UFZKHUzRNWz9lR30/q3PrR3J0FGuHil8hjilwniKX+; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [4.227.98.162] (helo=ix.netcom.com) by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1KpA0m-0000fj-26; Sun, 12 Oct 2008 19:06:08 -0400
Message-ID: <48F14BB6.B29CC43C@ix.netcom.com>
Date: Sat, 11 Oct 2008 17:58:30 -0700
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
Organization: IDNS and Spokesman for INEGroup
X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <1223034323.30303.29.camel@localhost> <877i8pk772.fsf@mocca.josefsson.org> <1223281251.12502.74.camel@localhost> <87abdit8c2.fsf_-_@mocca.josefsson.org> <20081006144152.5B9596B57F6@kilo.rtfm.com> <20081006113354.69029a62@cs.columbia.edu> <1b587cab0810121328w21d2ed96n830198b5c63b43e1@mail.gmail.com>
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606880e0da728f9888de6b63ae80da016b7be350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 4.227.98.162
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

Ben and all,

  I fullu agree with you Ben.  I for one am often willing to send
what I feel is appropriate wheather or not others believe so
or not, as long as it is in context and in keeping with the
theme or topic at hand.

Ben Laurie wrote:

> On Mon, Oct 6, 2008 at 4:33 PM, Steven M. Bellovin <smb@cs.columbia.edu>; wrote:
> > On Mon, 06 Oct 2008 07:41:52 -0700
> > Eric Rescorla <ekr@networkresonance.com>; wrote:
> >
> >> I think there are two separate issues here:
> >>
> >> (1) Whether implementations should be required to send certificates
> >>     in a specific order.
> >> (2) Whether implementations should generate an error if they are
> >>     received in another order.
> >>
> > "Be conservative in what you send; be liberal in what you accept."
>
> I thought we'd given up on that as a useful generalisation since it
> introduces security problems in some circumstances, for example HTTP
> header stuffing. Which is not to say I am opposed to this particular
> change, but that adage is an entirely insufficient justification.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls