IETF Logo Mail Archive

Re: [TLS] Consensus on PR 169 - relax certificate list requirements

"Santosh Chokhani" <santosh.chokhani@gmail.com> Thu, 27 August 2015 17:22 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B70091B3C77 for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 10:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oSRxfACyl6D1 for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 10:22:33 -0700 (PDT)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BFFA1B3CAB for <tls@ietf.org>; Thu, 27 Aug 2015 10:22:33 -0700 (PDT)
Received: by igui7 with SMTP id i7so66415232igu.1 for <tls@ietf.org>; Thu, 27 Aug 2015 10:22:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=XqVe37WTBCqKR3Oi1qupYPRV8Dg2hEoo2VrxPLCq4Do=; b=S5nxU4rb/+PdYqd/TyV1XvWMACytGfm5LnF1wwSOBsFD4XmANpYx+QFZiLh/AslnoE FI2exiVwYeJWdYozmSQwHuwwba9Wf1hksjDBwHmvwKuRFZkBSktIMg1L8PRNqUP4Ym+B Nx/7GcZt1Q/mp6HHorTnKxvVkv8PGkJonGlvoc2Uh8cLGUn9wzghZGu4I6r57l+9S4tg /rhkiNAEeFtpQofFcurggB5GNYB5if2ytG6qTfAiTAQWurPjPoyzgKif0B9X1vLFAeSP M+dbTMQPGhurq29E14k4cqn7OciwacvhFFn2wsGhc0iR971HSTq9Un3KL09bdDfWKRrZ btLQ==
X-Received: by 10.50.79.202 with SMTP id l10mr10418411igx.7.1440696152542; Thu, 27 Aug 2015 10:22:32 -0700 (PDT)
Received: from wcygchokhani (d226-123-206.home.cgocable.net. [24.226.123.206]) by smtp.gmail.com with ESMTPSA id yr6sm6362279igb.14.2015.08.27.10.22.31 (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 27 Aug 2015 10:22:31 -0700 (PDT)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Dave Garrett' <davemgarrett@gmail.com>, tls@ietf.org
References: <CAOgPGoAPCXkzc=01_+FPSJcxV8vEQmBUYNGYaWMdKpSGU0M0Lg@mail.gmail.com> <201508261742.01242.davemgarrett@gmail.com>
In-Reply-To: <201508261742.01242.davemgarrett@gmail.com>
Date: Thu, 27 Aug 2015 13:22:33 -0400
Message-ID: <029b01d0e0ec$f6706890$e35139b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH8kcAbrURJ+nrXVHG9nAKgjV7ZWgJFzuk5nbaEuoA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/R7pepFB83TVIYxmNmmbgPQLJ3NI>
Subject: Re: [TLS] Consensus on PR 169 - relax certificate list requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 17:22:34 -0000

To me it seems that both of these wordings could be interpreted by someone
that if you do not have a trust anchor and you get it in the TLS handshake,
you can use it and trust it.

That sounds dangerous.

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Dave Garrett
Sent: Wednesday, August 26, 2015 5:42 PM
To: tls@ietf.org
Subject: Re: [TLS] Consensus on PR 169 - relax certificate list requirements

On Wednesday, August 26, 2015 05:11:01 pm Joseph Salowey wrote:
> It looks like we have good consensus on PR 169 to relax certificate 
> list ordering requirements.  I had one question on the revised text.  
> I'm unclear on the final clause in this section:
> 
> "Because certificate validation requires that trust anchors be 
> distributed independently, a self-signed certificate that specifies a 
> trust anchor MAY be omitted from the chain, provided that supported 
> peers are known to possess any omitted certificates they may require."
> 
> I just want to make sure there isn't the intention of omitting 
> certificates that are not seif-signed.

Well, technically anything can be omitted; it just won't validate. :p

I'm not opposed to tweaking the wording here, but I don't really see it as a
problem. If someone does, though, that's reason enough for me to agree to
changing it.

Simplest change is:
"any omitted certificates they may require"  ->  "it"
\/
"Because certificate validation requires that trust anchors be distributed
independently, a self-signed certificate that specifies a trust anchor MAY
be omitted from the chain, provided that supported peers are known to
possess it."


Dave

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email