IETF Logo Mail Archive

Re: [TLS] Root certificates in server certificate chains

Peter Sylvester <peter.sylvester@edelweb.fr> Wed, 01 September 2010 00:02 UTC

Return-Path: <peter.sylvester@edelweb.fr>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9D143A68D2 for <tls@core3.amsl.com>; Tue, 31 Aug 2010 17:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.992
X-Spam-Level:
X-Spam-Status: No, score=-1.992 tagged_above=-999 required=5 tests=[AWL=0.607, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAmZ2W1rtv1Z for <tls@core3.amsl.com>; Tue, 31 Aug 2010 17:02:38 -0700 (PDT)
Received: from ganymede.on-x.com (ganymede.on-x.com [92.103.215.11]) by core3.amsl.com (Postfix) with ESMTP id E74D23A6887 for <tls@ietf.org>; Tue, 31 Aug 2010 17:02:37 -0700 (PDT)
Received: from varuna.puteaux.on-x (varuna.puteaux.on-x [192.168.10.6]) by ganymede.on-x.com (Postfix) with ESMTP id A91B6A5 for <tls@ietf.org>; Wed, 1 Sep 2010 02:03:07 +0200 (CEST)
Received: from smtps.on-x.com (mintaka.puteaux.on-x [192.168.14.11]) by varuna.puteaux.on-x (Postfix) with ESMTP id 7DD5017094 for <tls@ietf.org>; Wed, 1 Sep 2010 02:03:07 +0200 (CEST)
Received: from [192.168.0.15] (gut75-3-82-227-163-182.fbx.proxad.net [82.227.163.182]) by smtps.on-x.com (Postfix) with ESMTP id 8C49A782B for <tls@ietf.org>; Wed, 1 Sep 2010 02:03:07 +0200 (CEST)
Message-ID: <4C7D9839.2060008@edelweb.fr>
Date: Wed, 01 Sep 2010 02:03:05 +0200
From: Peter Sylvester <peter.sylvester@edelweb.fr>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: tls@ietf.org
References: <90e6ba1818805af088048f262265@google.com>
In-Reply-To: <90e6ba1818805af088048f262265@google.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 00:02:38 -0000

On 09/01/2010 12:30 AM, 1.41421@gmail.com wrote:

Dear truncated squareroot:
> The standard (RFC 5246, sec. 7.4.2) says that a server certificate 
> chain may include, as the last entry in this chain, the root 
> certificate that is to be considered the ultimate trust anchor as far 
> the server certificate is concerned.
It doesn't say that.

       This is a sequence (chain) of certificates.  The sender's
       certificate MUST come first in the list.  Each following
       certificate MUST directly certify the one preceding it.  Because
       certificate validation requires that root keys be distributed
       independently, the self-signed certificate that specifies the root
       certificate authority MAY be omitted from the chain, under the
       assumption that the remote end must already possess it in order to
       validate it in any case.

IMO it says that one may send what it
believes to be a useful chain including a potential trust anchor
represented by a self signed (root) cert. Not more.

v2.23.0 | Report a Bug | By Email