Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 21 May 2015 10:11 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 8199A1ACCE2
for <tls@ietfa.amsl.com>; Thu, 21 May 2015 03:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5
tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fCO6zEZ9ilUI for <tls@ietfa.amsl.com>;
Thu, 21 May 2015 03:11:09 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248])
(using TLSv1 with cipher RC4-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 0F6781ACCE1
for <tls@ietf.org>; Thu, 21 May 2015 03:11:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail;
t=1432203069; x=1463739069;
h=from:to:subject:date:message-id:references:in-reply-to:
content-transfer-encoding:mime-version;
bh=j4wGe8p4uI/1S7SJtubqzgtEYgbWwoDPTozWTTDtClY=;
b=QV3UmGFAXgzu3mm4yoa7NckGd+io1s3psLAzsiCw//0fGuUfskhzqOQ8
uYHsTkIf5EdWaxWhfJZ7Td031nyZJgj+zxN77mqtrqZZaNC9ZxCt+z8Aw
Q0G7aVqXMEvK1blZsBh6OF/xAqm4YoSpZ9SRkMkrcHn1NCF9RC+84n63r
h5mkV1/1MjWK7SFb/o4CLQ+3Qclf03bNuzZN70dJQ8yueCvwZJLGPQsSY
qk8TcgU/LcYVcO5dQlxygf02orJTdFSKtBA3ZkpRppgc7X7PwDit/3mnM
bat83BMnxZfgJgxiwCzVFoN1F0bydgFVlqgXu0EewWlJGeXHkaEo1gkPP w==;
X-IronPort-AV: E=Sophos;i="5.13,468,1427713200"; d="scan'208";a="17343403"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106])
by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 21 May 2015 22:11:07 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by
uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id
14.03.0174.001; Thu, 21 May 2015 22:11:07 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Dave Garrett <davemgarrett@gmail.com>, "tls@ietf.org" <tls@ietf.org>,
"mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] relax certificate_list requirements - opinion call (was
Re: [tls13-spec] relax certificate_list ordering requirements to match
current practice (#169)) I wonder if anyone is reading the full subject line
or does it just get truncated at some poi
Thread-Index: AdCSLOLGJVnE1j84SD6Bm7bXqoznGwAJP6uQAAXX/AAAODgicP//WvuAgAAftICAAU2jZQ==
Date: Thu, 21 May 2015 10:11:07 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB02813A@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <20150521002223.27E1F1B317@ld9781.wdf.sap.corp>,
<201505202215.52302.davemgarrett@gmail.com>
In-Reply-To: <201505202215.52302.davemgarrett@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/RA0qQNkPAQwjBaRPt6HfTrz2sn0>
Subject: Re: [TLS] relax certificate_list requirements - opinion call (was
Re: [tls13-spec] relax certificate_list ordering requirements to match
current practice (#169)) I wonder if anyone is reading the full subject
line or does it just get truncated at some poi
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 10:11:11 -0000
Dave Garrett <davemgarrett@gmail.com> writes: >That said, your argument is basically just that it doesn't affect you so it's >not worth dealing with. TLS is a general security protocol used on the Web, >not just by your customers. That was what I was going to reply to Martin's post with, "how many embedded devices did you sample when you came to the conclusion that the problem was negligible"? I was only yesterday dealing with one, a PLC, that (a) returned a handshake failure if you connected to it with a TLS version greater than 1.0, (b) sent out garbled (but arguably valid) DH parameters, (c) seemed to order the certs in its chain at random (or at least it wasn't consistent over multiple connections), and (d) had an invalid cert. Their defence was that other vendors had been successfully interoperating with them for years, and my code was at fault. However if your world consists only of IIS and Apache (and presumably NetWeaver?) then it's easier to pretend that this stuff doesn't happen. Peter.
- Re: [TLS] relax certificate_list requirements - o… Peter Gutmann
- Re: [TLS] relax certificate_list requirements - o… Andrei Popov
- Re: [TLS] relax certificate_list requirements - o… Martin Rex
- Re: [TLS] relax certificate_list requirements - o… Andrei Popov
- Re: [TLS] relax certificate_list requirements - o… Martin Rex
- Re: [TLS] relax certificate_list requirements - o… Dave Garrett
- Re: [TLS] relax certificate_list requirements - o… Martin Rex
- Re: [TLS] relax certificate_list requirements - o… Dave Garrett
- Re: [TLS] relax certificate_list requirements - o… Peter Gutmann
- Re: [TLS] relax certificate_list requirements - o… Watson Ladd