Re: [TLS] Certificate validation can of worms
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 05 April 2014 02:20 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFBA71A01ED for <tls@ietfa.amsl.com>; Fri, 4 Apr 2014 19:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OANUL5SY7-Tl for <tls@ietfa.amsl.com>; Fri, 4 Apr 2014 19:20:28 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) by ietfa.amsl.com (Postfix) with ESMTP id AA2D11A034B for <tls@ietf.org>; Fri, 4 Apr 2014 19:20:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1396664423; x=1428200423; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=g2HgZNKQaZaEK8Nw+08mY9oqI1FVzSv2wDd3jnbEwjY=; b=SrRkda8P5X/4gT/Kv3AhGVValZKVkUq2nMzPrGX3VOqvA+zy4HYhwXuo McR+UMbCliew/QqBN2QkhNGR8ZOBO0hZW1XHxvhIQvuni+9HBAQAAGjeA L1/66yiNL8YNZcak6mJ7tUbk21+OXLFz+AcuEd0KFtme9Xn9k9EKxhwaX E=;
X-IronPort-AV: E=Sophos;i="4.97,798,1389697200"; d="scan'208";a="245397994"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 05 Apr 2014 15:20:21 +1300
Received: from UXCN10-TDC06.UoA.auckland.ac.nz ([169.254.11.111]) by uxchange10-fe4.UoA.auckland.ac.nz ([130.216.4.171]) with mapi id 14.03.0174.001; Sat, 5 Apr 2014 15:20:20 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Certificate validation can of worms
Thread-Index: Ac9QdZdJ7+UCtTetRMyEs68P42C2Ng==
Date: Sat, 05 Apr 2014 02:20:19 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C738A346949@uxcn10-tdc06.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kAIRk_b6EvpnzeI8cRld3xzlJvM
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2014 02:20:34 -0000
Watson Ladd <watsonbladd@gmail.com> writes: >Dear all, https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf contains tests of >many TLS implementations. Interestingly all tested implementations contain >errors, and all but OpenSSL erroneous accepts. Cryptlib was not tested, >because it doesn't validate certificates. ... which is actually wrong, it does support certificate validation, it just doesn't do it by default because in the large majority of situations where cryptlib is used, users don't want to trust or not trust any arbitrary cert just because it was bought from a commercial CA. In other words cryptlib isn't a web browser that blindly trusts anything that chains to a commercial CA. If you do want that behaviour (and I wouldn't recommend it), it's two lines of code to implement. I'll write to the authors in a minute asking them to correct the statement in the paper. Peter.
- [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Yan Zhu
- Re: [TLS] Certificate validation can of worms Peter Gutmann
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Kurt Roeckx
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Kemp, David P.
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Rob Stradling
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Nikos Mavrogiannopoulos
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani