Re: [TLS] Update spec to match current practices for certificate chain order

Ben Laurie <benl@google.com> Mon, 11 May 2015 11:28 UTC

Return-Path: <benl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5867D1A3B9B for <tls@ietfa.amsl.com>; Mon, 11 May 2015 04:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4S9o9kfLZEh for <tls@ietfa.amsl.com>; Mon, 11 May 2015 04:28:55 -0700 (PDT)
Received: from mail-qc0-x22d.google.com (mail-qc0-x22d.google.com [IPv6:2607:f8b0:400d:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A00CC1A007C for <tls@ietf.org>; Mon, 11 May 2015 04:28:55 -0700 (PDT)
Received: by qcbgy10 with SMTP id gy10so66886877qcb.3 for <tls@ietf.org>; Mon, 11 May 2015 04:28:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Eo0Ito8JzxYBPyLNuoDrRQXiSkG5a8eXmrjhxLSfagI=; b=V18FzzQVa6BDhKY6uA+39FMmV0LholRBd20gwuspj7aXjtT50ALAruN468iMz5UpLS ihyrojLoldtUXxhiATMOsRaQgpydSEy1vYKp9elRZoCw1BVuGkI1QcsnNNtbQcHZXQtV Tg4zl6QIZXZpyq7XLTWCr+beV82MgKZPYN9w2BWnWZQo5zkG9//npaq+VDLtMGwy18Zu 0La02xBHLft+YEzhf95jhjEQ2fOyeS4w8kQ5TrB2ysuQqusFsvGqWjN61KdhpLgPV2W8 7542OJC4lMiwoRxmEDJFohXXQ4WeVOfFi+yzY3Qp98WCBDY3QtNoxNZeobuZEwCTs0mO cSDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Eo0Ito8JzxYBPyLNuoDrRQXiSkG5a8eXmrjhxLSfagI=; b=dkx50/KdXHsEzTI7MlDSXNMTcF29xNACm9nqFk+HvOET6Xs4FvQHNKMOGYR18NPcuk xRkHGxx2IVpH49S4SAbzoBao05GoH1ggnXpZ+PrN1SWbGUBlMIHCt33B5S0b8r+pHrgs UD1UmBO1GQAGhnu99T6Fk2ydo9iLj1h3b3i5GVEcKNRt7apa7QBOaU5I2CVnHhjLAsyl u5z6wshMPq87U8xgSqpPzyeDy59CqfkGkIijg1bhjRugUkKtXBKI7oJMSpGMD2tkzu2B eYlVtAY6icqEOCEoeIihNC2ClWCX1Z4G2yBXjJlrZhcoxXPT+67jcS1IftTWJw6FsOIe /OoQ==
X-Gm-Message-State: ALoCoQnKQYy8AoGEFMXHwycSygpZmvB7EtkBrAs+aRWgKdZIVfiZcQo5hKO9uXlDlNTmB4kszjoX
MIME-Version: 1.0
X-Received: by 10.55.22.23 with SMTP id g23mr20224910qkh.4.1431343734930; Mon, 11 May 2015 04:28:54 -0700 (PDT)
Received: by 10.229.155.138 with HTTP; Mon, 11 May 2015 04:28:54 -0700 (PDT)
In-Reply-To: <5B1D7E570380A64989D4C069F7D14BC8D7F63F2A@PINTO.missi.ncsc.mil>
References: <5B1D7E570380A64989D4C069F7D14BC8D7F62F04@PINTO.missi.ncsc.mil> <20150508150358.D695F1B2DE@ld9781.wdf.sap.corp> <5B1D7E570380A64989D4C069F7D14BC8D7F63F2A@PINTO.missi.ncsc.mil>
Date: Mon, 11 May 2015 12:28:54 +0100
Message-ID: <CABrd9SSHZM-x8Tdm=Ejijjh6L277S+u_Zj3_bgaC-Cw2XjXNDg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Vz61JR4Clr9fPYf3iy09YwGieCc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Update spec to match current practices for certificate chain order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 11:28:58 -0000

On 8 May 2015 at 16:19, Kemp, David P. <DPKemp@missi.ncsc.mil> wrote:
> Martin Rex wrote:
>> Clients do not have to accomodate server that violate MUSTS.
>
> Absolutely correct.   Accommodating a compliant server is the only mandatory to implement requirement on clients.
>
>> In most cases, it is detrimental and often dangerous to work around
>> such protocol violations by the peer.
>
> How ???

Failure to strictly enforce protocols leads to security issues. For
example: https://www.owasp.org/index.php/HTTP_Request_Smuggling