Re: [TLS] Update spec to match current practices for certificate chain order

Peter Gutmann <> Thu, 07 May 2015 14:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2AE3B1A90C7 for <>; Thu, 7 May 2015 07:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, J_CHICKENPOX_66=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W5rZTn_4Vj0l for <>; Thu, 7 May 2015 07:43:47 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 295B01A88F2 for <>; Thu, 7 May 2015 07:43:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1431009827; x=1462545827; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=zJkYOB1RSwFszmBiLsd9yxAglhGcJxhdwF02bpl0ohY=; b=bDFQqqEv/RAGN6SRAotSHs0aTiiSWd/SuGcDKwAcacSSzrh/l9SbAQQO 1MQVLmIUf3phgTURP0pHZMj2hzoBE5DkrXymub5bXSqh+3MC7gETf+LUY kMCAROhF0FZcJb/VV4kbIIs9imkvwxSRwIqzip3pge/6xcHteO4gMw4Cu U=;
X-IronPort-AV: E=Sophos;i="5.13,384,1427713200"; d="scan'208";a="3543959"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 08 May 2015 02:43:45 +1200
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Fri, 8 May 2015 02:43:45 +1200
From: Peter Gutmann <>
To: "<>" <>
Thread-Topic: [TLS] Update spec to match current practices for certificate chain order
Thread-Index: AdCI1Dg/2ozacAakSXysMh8LQCn4jA==
Date: Thu, 7 May 2015 14:43:45 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Update spec to match current practices for certificate chain order
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 May 2015 14:43:48 -0000

Martin Rex <> writes:

>PKCS#7/CMS uses a Issuer&Serial (or alternatively SKI) to clearly identify
>the end-entity certificate.  In TLS, the identification is the first position
>in certificate_list.  So it is not possible to "blindly reuse" the code with
>respect to identifying the end-entity certificate.

Yes it is, as I mentioned in my previous message my code looks for the server
FQDN/whatever and uses the cert that contains that as the leaf cert.  It's the
same process that's used for IssuerAndSerialNumber, SCEP client IDs, and
various other things, "find the cert for the identified party, then follow
parent links to build the chain".