Re: [TLS] Verifying X.509 Certificate Chains out of order

Nelson B Bolyard <> Thu, 16 October 2008 19:58 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 7C2893A6955; Thu, 16 Oct 2008 12:58:53 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 29D723A6955 for <>; Thu, 16 Oct 2008 12:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QSgUJLDoCwSh for <>; Thu, 16 Oct 2008 12:58:51 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 4DC003A6917 for <>; Thu, 16 Oct 2008 12:58:50 -0700 (PDT)
Received: (qmail 20107 invoked from network); 16 Oct 2008 19:59:48 -0000
Received: from unknown ( by ( with ESMTP; 16 Oct 2008 19:59:48 -0000
Message-ID: <>
Date: Thu, 16 Oct 2008 12:59:44 -0700
From: Nelson B Bolyard <>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b2pre) Gecko/20081016 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Peter Gutmann wrote, On 2008-10-15 23:18:
> I have a followup question for the topic of client-auth UI issues: [...]

> The OP said:
>   For browsers, there arose a concern that automatic and silent client cert
>   authentication allows a web site to request cert authentication even when
>   the user has no business relationship with the site, and could be used for
>   user tracking, defeating anonymity of browsing.  So the default setting in
>   browsers was changed to manual selection to avoid silent user tracking.
> So the tradeoff made was to significantly negatively impact usability in
> exchange for addressing a perceived privacy threat, specifically the fact that
> if I connect to a site that (for some reason) decides that it doesn't want to
> use traditional browser cookies or cache cookies or web bugs or Flash cookies
> or a million other ways of tracking users (including SSL session cache
> identifiers in the specific case of SSL) then they can now find out that I'm
> /C=US/O=Verisign/OU=Class 1 CA/OU=No liability accepted/CN=The Jolly Green
> Giant/  Maybe I'm missing something here, but
> this seems to be a case of doing something that significantly negatively
> affects security usability (and therefore actual real security) in order to
> address an imaginary issue that only a geek could dream up.  Is there some
> other issue here that I'm missing?

One major difference between tracking with cookies (or TLS session IDs) and
using certs is that cookies and TLS session IDs contain only information
previously put there by the server itself.  When the server fetches them,
it doesn't learn anything about the user that it didn't already know.
It has merely learned that a user who has previously been to this web site
has now returned.  But certs reveal information that could well have
previously been unknown to the server.  Fetching certs is a way to do
information discovery.

As for this being a significant negative usability impact, soon the browser
will be able to remember a user's choices about certs for servers, including
the choice of "send no cert", and thereafter, the browser will no longer
bother him to repeat a choice he has already made. So, the impact will
typically be at most one choice per site. There will be no negative
usability impact for servers to whom the user really wants to authenticate.
A user won't mind choosing a cert for authenticating to his bank.  He will
mind being asked to choose while browsing porn. :)

Finally, I will add that the decision to change the default behavior for
client auth was made by the browser UI folks, not by the crypto folks.
The folks who made this decision are the UI czars who make the big
decisions about the trade off of usability vs other things (such as
security). They apparently thought the threat of this form of tracking
was serious enough to warrant the change.  The subsequent discovery of
lots of sites that are doing this seems to prove that the threat was not
merely imaginary.
TLS mailing list