Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 21 May 2015 10:11 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8199A1ACCE2 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 03:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCO6zEZ9ilUI for <tls@ietfa.amsl.com>; Thu, 21 May 2015 03:11:09 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F6781ACCE1 for <tls@ietf.org>; Thu, 21 May 2015 03:11:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1432203069; x=1463739069; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=j4wGe8p4uI/1S7SJtubqzgtEYgbWwoDPTozWTTDtClY=; b=QV3UmGFAXgzu3mm4yoa7NckGd+io1s3psLAzsiCw//0fGuUfskhzqOQ8 uYHsTkIf5EdWaxWhfJZ7Td031nyZJgj+zxN77mqtrqZZaNC9ZxCt+z8Aw Q0G7aVqXMEvK1blZsBh6OF/xAqm4YoSpZ9SRkMkrcHn1NCF9RC+84n63r h5mkV1/1MjWK7SFb/o4CLQ+3Qclf03bNuzZN70dJQ8yueCvwZJLGPQsSY qk8TcgU/LcYVcO5dQlxygf02orJTdFSKtBA3ZkpRppgc7X7PwDit/3mnM bat83BMnxZfgJgxiwCzVFoN1F0bydgFVlqgXu0EewWlJGeXHkaEo1gkPP w==;
X-IronPort-AV: E=Sophos;i="5.13,468,1427713200"; d="scan'208";a="17343403"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 21 May 2015 22:11:07 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Thu, 21 May 2015 22:11:07 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Dave Garrett <davemgarrett@gmail.com>, "tls@ietf.org" <tls@ietf.org>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi
Thread-Index: AdCSLOLGJVnE1j84SD6Bm7bXqoznGwAJP6uQAAXX/AAAODgicP//WvuAgAAftICAAU2jZQ==
Date: Thu, 21 May 2015 10:11:07 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB02813A@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <20150521002223.27E1F1B317@ld9781.wdf.sap.corp>, <201505202215.52302.davemgarrett@gmail.com>
In-Reply-To: <201505202215.52302.davemgarrett@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/RA0qQNkPAQwjBaRPt6HfTrz2sn0>
Subject: Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 10:11:11 -0000

Dave Garrett <davemgarrett@gmail.com>; writes:

>That said, your argument is basically just that it doesn't affect you so it's
>not worth dealing with. TLS is a general security protocol used on the Web,
>not just by your customers.

That was what I was going to reply to Martin's post with, "how many embedded
devices did you sample when you came to the conclusion that the problem was
negligible"?  I was only yesterday dealing with one, a PLC, that (a) returned
a handshake failure if you connected to it with a TLS version greater than
1.0, (b) sent out garbled (but arguably valid) DH parameters, (c) seemed to
order the certs in its chain at random (or at least it wasn't consistent over
multiple connections), and (d) had an invalid cert.  Their defence was that
other vendors had been successfully interoperating with them for years, and my
code was at fault.  However if your world consists only of IIS and Apache (and
presumably NetWeaver?) then it's easier to pretend that this stuff doesn't
happen.

Peter.