Re: [TLS] Consensus on PR 169 - relax certificate list requirements
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 27 August 2015 17:29 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27F2D1B2BF1 for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 10:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1bjnJlCKI_rS for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 10:29:48 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF4001B2A59 for <tls@ietf.org>; Thu, 27 Aug 2015 10:29:47 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0A328284D23; Thu, 27 Aug 2015 17:29:47 +0000 (UTC)
Date: Thu, 27 Aug 2015 17:29:47 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150827172946.GR9021@mournblade.imrryr.org>
References: <CAOgPGoAPCXkzc=01_+FPSJcxV8vEQmBUYNGYaWMdKpSGU0M0Lg@mail.gmail.com> <201508261742.01242.davemgarrett@gmail.com> <029b01d0e0ec$f6706890$e35139b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <029b01d0e0ec$f6706890$e35139b0$@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dO8EIwRCmPjMX63ws_jAQPQVets>
Subject: Re: [TLS] Consensus on PR 169 - relax certificate list requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 17:29:49 -0000
On Thu, Aug 27, 2015 at 01:22:33PM -0400, Santosh Chokhani wrote: > To me it seems that both of these wordings could be interpreted by someone > that if you do not have a trust anchor and you get it in the TLS handshake, > you can use it and trust it. > > That sounds dangerous. Beyond a general "there's no such thing as fool-proof", I don't see how such an interpretation might be arrived at. Trust-anchors are both frequently sent and frequently not sent in the TLS handshake. The new text just says that it may be acceptable to omit them, but sometimes clients need the trust-anchor certificate to be sent, because they verify it by fingerprint or similar, and don't have a (complete) local copy. The text is fine. -- Viktor.
- [TLS] Consensus on PR 169 - relax certificate lis… Joseph Salowey
- Re: [TLS] Consensus on PR 169 - relax certificate… Dave Garrett
- Re: [TLS] Consensus on PR 169 - relax certificate… Martin Thomson
- Re: [TLS] Consensus on PR 169 - relax certificate… Viktor Dukhovni
- Re: [TLS] Consensus on PR 169 - relax certificate… Joseph Salowey
- Re: [TLS] Consensus on PR 169 - relax certificate… Viktor Dukhovni
- Re: [TLS] Consensus on PR 169 - relax certificate… Santosh Chokhani
- Re: [TLS] Consensus on PR 169 - relax certificate… Florian Weimer
- Re: [TLS] Consensus on PR 169 - relax certificate… Martin Thomson
- Re: [TLS] Consensus on PR 169 - relax certificate… Florian Weimer
- Re: [TLS] Consensus on PR 169 - relax certificate… Martin Thomson
- Re: [TLS] Consensus on PR 169 - relax certificate… Yoav Nir
- Re: [TLS] Consensus on PR 169 - relax certificate… Peter Gutmann