Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 13 May 2015 06:23 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE7B41A0A6A for <tls@ietfa.amsl.com>; Tue, 12 May 2015 23:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwxjYQ1K9OPh for <tls@ietfa.amsl.com>; Tue, 12 May 2015 23:23:29 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 612461A06FD for <tls@ietf.org>; Tue, 12 May 2015 23:23:29 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 296C8283032; Wed, 13 May 2015 06:23:28 +0000 (UTC)
Date: Wed, 13 May 2015 06:23:28 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150513062327.GS17272@mournblade.imrryr.org>
References: <20150512192950.C93F21B2EB@ld9781.wdf.sap.corp> <939995E0-4ED0-479A-8B3A-628FE2C8C31B@gmail.com> <CAFewVt6cCKk95BH9e9hzAvgqFJwDhiAM-mHUPtGittqQ1=C9qw@mail.gmail.com> <A052A1F5-C178-4187-ADC9-11D2AE0E69A0@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A052A1F5-C178-4187-ADC9-11D2AE0E69A0@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Y-yQupKvfnhaITUSOLEXNB49iBU>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 06:23:30 -0000
On Wed, May 13, 2015 at 08:58:54AM +0300, Yoav Nir wrote: > So I agree that for regular TLS sending the entire chain is the right > thing to do, as is sending a stapled OCSP response. I just don't think > building a chain through other means is in any way "bad". It can be at least onerous. Clients speaking a given protocol may not be at liberty to connect to anything other than their peer, and may not posess an HTTP stack with which to make out-of-band requests. The SSL/TLS library cannot transparently attempt such additional connections with consent and mediation for connection establishment and event loop integration from the application layer to engage in the additional communications. So in-band is definitely simpler, and leaks less data to third parties. -- Viktor.
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Andrei Popov
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ben Laurie
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Watson Ladd
- Re: [TLS] [tls13-spec] relax certificate_list ord… Nikos Mavrogiannopoulos
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Daniel Kahn Gillmor
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Fabrice Gautier
- Re: [TLS] [tls13-spec] relax certificate_list ord… Brian Smith
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Peter Gutmann
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex