Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)

"Ryan Sleevi" <> Tue, 12 May 2015 22:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A93011A92DC for <>; Tue, 12 May 2015 15:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZOWZnMzYDrdO for <>; Tue, 12 May 2015 15:51:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A64151A92BA for <>; Tue, 12 May 2015 15:51:28 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 6D4BA67C091; Tue, 12 May 2015 15:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s=; bh=Ppg5s5T2knYGEIcUMSMd2SGZifk=; b=p5u9LiwwKU+Viieoh t4P8/f8jyPZEq7PfHSieAT/VlvHlQTBQR3qXmPb96qkGyUN2RNcWEaxtgoFcOwCX h85lUYPkPQ/UpVHxXw/1GmZMPpc8pOQtGIjiCAdVCXyT5HdVMBxO/CoNwqzJReme x++mMb+CkvFfVD/oJC5uH5gfZQ=
Received: from ( []) (Authenticated sender: by (Postfix) with ESMTPA id 3B91A67C07D; Tue, 12 May 2015 15:51:28 -0700 (PDT)
Received: from (SquirrelMail authenticated user by with HTTP; Tue, 12 May 2015 15:51:28 -0700
Message-ID: <>
In-Reply-To: <>
References: <>
Date: Tue, 12 May 2015 15:51:28 -0700
From: Ryan Sleevi <>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 May 2015 22:51:29 -0000

On Tue, May 12, 2015 3:38 pm, Martin Rex wrote:
>  Then add the line of text from rfc5280 or X.509 that explain what a
>  self-signed CA certificate is.

A self-signed CA certificate is not the same as a self-signed root CA
certificate, for example, nor are they to be confused with a self-issued
root CA certificate, which may not necessarily be self-signed.

>  I is *IMPOSSIBLE* to justify the use of "trust anchor" here.

I'll take that as you declining to read or respond then.

>  rfc5280 explicitly describes "trust anchor" to have only a *local*
>  meaning!
>  see rfc5280, section 6.2 (which I previously quoted).

I don't think the text supports your claim, but it's clear that no matter
how compelling the argument, there's no room for you to budge on this. It
is unfortunate, but at least consistent.

>  The Certificate handshake message PDU is produced by one TLS peer (sender)
>  and consumed/interpreted by the *OTHER* TLS peer.  But the concept of
>  a trust anchor is a thoroughly local issue, so the use of the terminology
>  for the TLS Certificate PDU is provably incorrect for at least one TLS
>  peer.

No, it's not, but again, I don't think there's any room left for progress
on the matter, since it seems less and less likely to get a technical
discussion of the facts.

If the TLS peer knows, through whatever means (RFC 6066, out of band prior
agreement, incantations of the illuminati passed from generation to
generation), the trust anchor of the peer, it may omit any certificates
that follow that trust anchor.

How is that a difficult or wrong concept?
In the case of DANE, the peer needs all certificates, including the
self-signed, self-issued CA certificate expressed in the DANE record.
In the case of clients, if the server has perfect knowledge, then it can
omit the unnecessary certificates.

We've already established extensively why the myriad trust stores and
clients make such apriori knowledge on the Internet at large difficult to
impossible, and I think it's foolish to claim that
1) We replace the entire PKI with some future system
2) We replace the entire client TLS space with some future system that
ignores RFC 4158 (which will not happen)
3) We replace the entire server TLS space with some future system that
strictly enforces the TLS requirements (which will not happen; the ample
evidence of SSL3, RC4, Renego, etc provide ample proof of this)

So we deal with the system we have, the constraints we have, the clients
we have, the PKI we have, and we seek rough consensus and running code.
The vast majority of running code disagrees with you, and, by proxy, the
spec. Can we at least agree to that much?