Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)

Yoav Nir <ynir.ietf@gmail.com> Tue, 12 May 2015 19:52 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29FA81A8955 for <tls@ietfa.amsl.com>; Tue, 12 May 2015 12:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tocJ7O113S5V for <tls@ietfa.amsl.com>; Tue, 12 May 2015 12:52:52 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291E31A87D2 for <tls@ietf.org>; Tue, 12 May 2015 12:52:52 -0700 (PDT)
Received: by wizk4 with SMTP id k4so169088450wiz.1 for <tls@ietf.org>; Tue, 12 May 2015 12:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4j1d17QOLRpMhcgPfymCTYit98ibZW3ToQpW1A0ResU=; b=PUjDvPiWFRAD0jPgXjD1+zsYJL1HuupgxFya3sasicAopIKLLVNmjKzVZuBXgAPM1E DDZsJTGEXfAyWjJJbke8QzQCDMQaHXRoGowdGwmezY8XBO0Dg06Q39IWKWEu4As8XK3k 4FRsjy71i/ZmMjVViRqAEqKSs2pxEnHOyYpKbrOTdURgIOC7yLv6osKUMHqRopxtLdV2 uvQ9vVbLBM+1dKsYDJCEu3mENeV16qZmqdBgExPhUAQbPTO7SImB5xySXFrHCHgiRNeq wXY0iQu8ldRXMx4oWPW6/bZRTIobnjUPEIkJwefb0pA2bKY74MwZE5X823ZoeGZGRR/p XS8A==
X-Received: by 10.194.187.15 with SMTP id fo15mr33741706wjc.100.1431460370787; Tue, 12 May 2015 12:52:50 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id bh7sm29262991wjb.8.2015.05.12.12.52.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 May 2015 12:52:49 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20150512192950.C93F21B2EB@ld9781.wdf.sap.corp>
Date: Tue, 12 May 2015 22:52:47 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <939995E0-4ED0-479A-8B3A-628FE2C8C31B@gmail.com>
References: <20150512192950.C93F21B2EB@ld9781.wdf.sap.corp>
To: mrex@sap.com
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/k8b9RCUsbAMpMwKHYgnCL2WROZo>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 19:52:58 -0000

> 
> But a machine/automata/algorithm that will automatically download objects
> from URLs from still-untrusted data provided by the peer is definitely
> insecure and irresponsible.
> 

In that sense, how is AIA different from revocation checking? Whether you use CRLs or OCSP, you’re following a URL in the (still untrusted or at least possibly revoked) certificate to retrieve an object.

Yoav