Re: [TLS] Root certificates in server certificate chains
Peter Sylvester <peter.sylvester@edelweb.fr> Wed, 01 September 2010 00:02 UTC
Return-Path: <peter.sylvester@edelweb.fr>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9D143A68D2 for <tls@core3.amsl.com>; Tue, 31 Aug 2010 17:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.992
X-Spam-Level:
X-Spam-Status: No, score=-1.992 tagged_above=-999 required=5 tests=[AWL=0.607, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAmZ2W1rtv1Z for <tls@core3.amsl.com>; Tue, 31 Aug 2010 17:02:38 -0700 (PDT)
Received: from ganymede.on-x.com (ganymede.on-x.com [92.103.215.11]) by core3.amsl.com (Postfix) with ESMTP id E74D23A6887 for <tls@ietf.org>; Tue, 31 Aug 2010 17:02:37 -0700 (PDT)
Received: from varuna.puteaux.on-x (varuna.puteaux.on-x [192.168.10.6]) by ganymede.on-x.com (Postfix) with ESMTP id A91B6A5 for <tls@ietf.org>; Wed, 1 Sep 2010 02:03:07 +0200 (CEST)
Received: from smtps.on-x.com (mintaka.puteaux.on-x [192.168.14.11]) by varuna.puteaux.on-x (Postfix) with ESMTP id 7DD5017094 for <tls@ietf.org>; Wed, 1 Sep 2010 02:03:07 +0200 (CEST)
Received: from [192.168.0.15] (gut75-3-82-227-163-182.fbx.proxad.net [82.227.163.182]) by smtps.on-x.com (Postfix) with ESMTP id 8C49A782B for <tls@ietf.org>; Wed, 1 Sep 2010 02:03:07 +0200 (CEST)
Message-ID: <4C7D9839.2060008@edelweb.fr>
Date: Wed, 01 Sep 2010 02:03:05 +0200
From: Peter Sylvester <peter.sylvester@edelweb.fr>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: tls@ietf.org
References: <90e6ba1818805af088048f262265@google.com>
In-Reply-To: <90e6ba1818805af088048f262265@google.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 00:02:38 -0000
On 09/01/2010 12:30 AM, 1.41421@gmail.com wrote: Dear truncated squareroot: > The standard (RFC 5246, sec. 7.4.2) says that a server certificate > chain may include, as the last entry in this chain, the root > certificate that is to be considered the ultimate trust anchor as far > the server certificate is concerned. It doesn't say that. This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. IMO it says that one may send what it believes to be a useful chain including a potential trust anchor represented by a self signed (root) cert. Not more.
- [TLS] Root certificates in server certificate cha… 1.41421
- Re: [TLS] Root certificates in server certificate… Peter Sylvester
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Ryan Sleevi
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Martin Rex
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Peter Gutmann
- Re: [TLS] Root certificates in server certificate… Kyle Hamilton