Re: [TLS] Server behavior when client certificate does not match the request ?
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 12 January 2016 23:11 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 318161A9037 for <tls@ietfa.amsl.com>; Tue, 12 Jan 2016 15:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QL-d-BYWHp_6 for <tls@ietfa.amsl.com>; Tue, 12 Jan 2016 15:11:16 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8191A903E for <tls@ietf.org>; Tue, 12 Jan 2016 15:11:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1452640278; x=1484176278; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/cpzeOfSK4wd676mA5krgbQBL2WQ1WbC5lsCQAbKeFw=; b=FTSg/04NBwmeR53HBl1cTCJl4MB0hGFSA0En+lWxmcwzuEjNbXKZJW42 Zd5Gn5NQgTldH7gqCrfkUwp4EP/z6jr80t/hGv/dxCaoEvJkWI1FpfSyk 2Jt4xOalutSVXJJTX/WsOgYxvLsYNfqSGJOhE4bQpmCvo5JKtuHNPgacz 6tXldPURdWkaNV8xiMy6vbw2vo5j+2Tc0NMG8qnBfulTMlJH7JaQdLnSR 1LRvy+aE1w+0DjeBMt2KEA0rX6RbN6UEkRIMxd/S2FRmGBNHJIA8hxK0w jL8y7wz7h2usjY2xeeeY3NeCh4NrmZXdKwr9V6jZK0AFEVJf6qf+kHE79 A==;
X-IronPort-AV: E=Sophos;i="5.22,285,1449486000"; d="scan'208";a="62846998"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe4.UoA.auckland.ac.nz) ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 13 Jan 2016 12:11:15 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0266.001; Wed, 13 Jan 2016 12:11:13 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Fabrice Gautier <fabrice.gautier@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] Server behavior when client certificate does not match the request ?
Thread-Index: AQHRTX5DOS6Aa444ckqcdYefrftCbZ73jBWAgAD1zoM=
Date: Tue, 12 Jan 2016 23:11:12 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BC7075@uxcn10-5.UoA.auckland.ac.nz>
References: <CANOyrg9_A=GchJ+K61cPe+J=-rRq388z60psbd5SU6hC6iPpUA@mail.gmail.com> <CABcZeBMeAou1o3kojMEBUu3pRaAvNv1ji-MZRM5qHNkzeo7SyA@mail.gmail.com>, <CANOyrg9BDTNBKqTDq3hS5jQsmY+J3tewuV3X0Cr6s7iUKcCjFA@mail.gmail.com>
In-Reply-To: <CANOyrg9BDTNBKqTDq3hS5jQsmY+J3tewuV3X0Cr6s7iUKcCjFA@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/f1riUIb_W62j6pzLOJupvolVCqU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Server behavior when client certificate does not match the request ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 23:11:20 -0000
Fabrice Gautier <fabrice.gautier@gmail.com> writes: >"Do TLS libraries act strictly on those requirements, or do they leave it to >the application layers?" > >"How do TLS libraries/server applications act when such requirements are not >respected?" This has already been discussed in the past, it's not up to TLS to constrain what a CA can do, and more to the point if you've paid a CA a small fortune for a cert you don't want some TLS implementation to reject it because of some minor disagreement over what colour the cert frame is painted. Redde Caesari quae sunt Caesaris, the PKI code decides whether a cert chain is acceptable or not, not the TLS code. Which is exactly what my code does. Peter.
- [TLS] Server behavior when client certificate doe… Fabrice Gautier
- Re: [TLS] Server behavior when client certificate… Eric Rescorla
- Re: [TLS] Server behavior when client certificate… Fabrice Gautier
- Re: [TLS] Server behavior when client certificate… Eric Rescorla
- Re: [TLS] Server behavior when client certificate… Peter Gutmann
- Re: [TLS] Server behavior when client certificate… Viktor Dukhovni
- Re: [TLS] Server behavior when client certificate… Fabrice Gautier
- Re: [TLS] Server behavior when client certificate… Eric Rescorla