Re: [TLS] Update spec to match current practices for certificate chain order

"Kemp, David P." <DPKemp@missi.ncsc.mil> Fri, 08 May 2015 15:19 UTC

Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4131A8A8E for <tls@ietfa.amsl.com>; Fri, 8 May 2015 08:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4s1aSieQtDGk for <tls@ietfa.amsl.com>; Fri, 8 May 2015 08:19:28 -0700 (PDT)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EB381A8925 for <tls@ietf.org>; Fri, 8 May 2015 08:19:28 -0700 (PDT)
Received: from Morgan.missi.ncsc.mil (morgan.missi.ncsc.mil [144.51.60.155]) by stingray.missi.ncsc.mil with ESMTP id t48FJRpb031198 for <tls@ietf.org>; Fri, 8 May 2015 11:19:27 -0400 (EDT)
Received: from PINTO.missi.ncsc.mil ([fe80::60c7:cec6:b35c:deed]) by Morgan.missi.ncsc.mil ([::1]) with mapi id 14.03.0210.002; Fri, 8 May 2015 11:19:27 -0400
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Update spec to match current practices for certificate chain order
Thread-Index: AQHQiZn8GsXTU1lDEU6QPCBLhUKLhZ1yJW3wgABK2AD//74qcA==
Date: Fri, 8 May 2015 15:19:26 +0000
Message-ID: <5B1D7E570380A64989D4C069F7D14BC8D7F63F2A@PINTO.missi.ncsc.mil>
References: <5B1D7E570380A64989D4C069F7D14BC8D7F62F04@PINTO.missi.ncsc.mil> <20150508150358.D695F1B2DE@ld9781.wdf.sap.corp>
In-Reply-To: <20150508150358.D695F1B2DE@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [144.51.60.29]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dJT8dkPwrMI8CeZjStOM7tqBTCQ>
Subject: Re: [TLS] Update spec to match current practices for certificate chain order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2015 15:19:30 -0000

Martin Rex wrote:
> Clients do not have to accomodate server that violate MUSTS.

Absolutely correct.   Accommodating a compliant server is the only mandatory to implement requirement on clients.

> In most cases, it is detrimental and often dangerous to work around
> such protocol violations by the peer.

How ???

> Either the certification path presented by the server crosses through
> the trust anchor(s) of the client or ends there -- then you get interop,
> or it doesn't then you get interop failure.

Clients that provide value-added (optional) path construction functionality do not fail, either operationally or security-wise.   Perhaps no such clients exist, now or in the future.  But if they do, satisfying more than the MUSTS does not make them non-compliant.