Re: [TLS] Verifying X.509 Certificate Chains out of order

Mike <> Mon, 06 October 2008 22:58 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 5D55128C120; Mon, 6 Oct 2008 15:58:00 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 759CE28C120 for <>; Mon, 6 Oct 2008 15:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A+wtnSTesX89 for <>; Mon, 6 Oct 2008 15:57:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C0CD73A676A for <>; Mon, 6 Oct 2008 15:57:58 -0700 (PDT)
Received: from localhost.localdomain (localhost []) by (Postfix) with ESMTP id 114B087D07 for <>; Mon, 6 Oct 2008 18:58:33 -0400 (EDT)
Received: from [] ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id DE93687D06 for <>; Mon, 6 Oct 2008 18:58:31 -0400 (EDT)
Message-ID: <>
Date: Mon, 06 Oct 2008 15:57:29 -0700
From: Mike <>
User-Agent: Thunderbird (Windows/20080421)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Pobox-Relay-ID: 4CCD0F14-93FA-11DD-AFB3-F4FB75724C3F-38729857!
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"

> It is a big waste to sort and sort and sort the list each time
> it is processed.  The one who is persisting the data (credential holder)
> can sort it once and for all.

As another data point, my software will first attempt to validate the
certificate chain in the order it was received, but if it finds that
one certificate did not issue the previous one, it then attempts to
put them in the correct order and revalidate the chain.

I had to do this sometime last year because I couldn't connect to one
of the major credit card companies' websites with my own software, but
my browsers were able to.  An additional problem with that site was
their CRL was PEM encoded!

As has been said, be liberal in what you accept....

TLS mailing list