Re: [TLS] Verifying X.509 Certificate Chains out of order

Rob Dugal <rdugal@certicom.com> Mon, 06 October 2008 11:58 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B7083A6A5B; Mon, 6 Oct 2008 04:58:11 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4DDE3A6778 for <tls@core3.amsl.com>; Mon, 6 Oct 2008 04:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJabREInYSbH for <tls@core3.amsl.com>; Mon, 6 Oct 2008 04:58:06 -0700 (PDT)
Received: from cx295.800onemail.com (cx295.800onemail.com [209.171.54.152]) by core3.amsl.com (Postfix) with ESMTP id EB8BB3A68C2 for <tls@ietf.org>; Mon, 6 Oct 2008 04:58:05 -0700 (PDT)
Received: from ex13-n01.exchserver.com ([192.168.162.157]) by cx295.800onemail.com (8.13.1/8.13.1) with ESMTP id m96Bv1pm021909; Mon, 6 Oct 2008 07:57:12 -0400
Received: from EX40.exchserver.com ([192.168.162.206]) by ex13-n01.exchserver.com ([192.168.162.160]) with mapi; Mon, 6 Oct 2008 07:57:04 -0400
From: Rob Dugal <rdugal@certicom.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "simon@josefsson.org" <simon@josefsson.org>, "tls@ietf.org" <tls@ietf.org>
Date: Mon, 6 Oct 2008 07:57:01 -0400
Thread-Topic: [TLS] Verifying X.509 Certificate Chains out of order
Thread-Index: AcknmExg6Qk0YMFfSp2JhX75Jb2iKwAEen1w
Message-ID: <C49217E2D694874EB820EA90DCE67619011E1FACC5@EX40.exchserver.com>
References: <87abdit8c2.fsf_-_@mocca.josefsson.org> <E1Kmme1-0007As-9b@wintermute01.cs.auckland.ac.nz>
In-Reply-To: <E1Kmme1-0007As-9b@wintermute01.cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-CRXEFW-Info: Please contact Ceryx for more information
X-CRXEFW-Virus: Clean
X-CRXEFW-From: rdugal@certicom.com
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

Certicom's SSL-C toolkit does verify out of order chains but will generate verification warnings that may be overridden by applications.

> -----Original Message-----
> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Peter Gutmann
> Sent: Monday, October 06, 2008 5:45 AM
> To: simon@josefsson.org; tls@ietf.org
> Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
>
> Simon Josefsson <simon@josefsson.org>; writes:
>
> >It is claimed that OpenSSL, IE and Firefox does not enforce the second
> >MUST in the paragraph above, and succeeds in verifying an
> >out-of-sequence chain.  I haven't verified the claim.  It appears as if
> >the OpenSSL developers don't consider their behaviour as a bug (see
> >reply below).
>
> Add cryptlib to the list of implementations that don't care about the order.
> In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared about
> cert order.
>
> >What are others opinion on this?  I'm looking for some guidance on
> >whether we should modify our current behaviour.
>
> I'd say modify it, in fact I'm not sure what the rationale for requiring
> ordering was in the original spec, "it's tidier that way" doesn't strike me as
> a good argument :-).
>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls