Re: [TLS] Verifying X.509 Certificate Chains out of order
Alexander Klink <a.klink@cynops.de> Tue, 07 October 2008 13:49 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE5243A6A29; Tue, 7 Oct 2008 06:49:15 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98D6F3A6A29 for <tls@core3.amsl.com>; Tue, 7 Oct 2008 06:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlbKDfukbmsY for <tls@core3.amsl.com>; Tue, 7 Oct 2008 06:49:10 -0700 (PDT)
Received: from mail.cynops.de (cynops.de [82.149.225.69]) by core3.amsl.com (Postfix) with ESMTP id CD6733A67AB for <tls@ietf.org>; Tue, 7 Oct 2008 06:49:09 -0700 (PDT)
Received: from cy10loc.cynops.de (cy10loc [172.16.0.10]) by mail.cynops.de (Postfix) with ESMTP id DF57E6C3A4 for <tls@ietf.org>; Tue, 7 Oct 2008 15:48:05 +0200 (CEST)
Received: from localhost (unknown [172.16.0.6]) by cy10loc.cynops.de (Postfix) with ESMTP id 68B96C8001 for <tls@ietf.org>; Tue, 7 Oct 2008 15:48:05 +0200 (CEST)
Date: Tue, 07 Oct 2008 15:48:05 +0200
From: Alexander Klink <a.klink@cynops.de>
To: tls@ietf.org
Message-ID: <20081007.d55220c47ddb8ab96e49869bf280f502@cynops.de>
References: <9F11911AED01D24BAA1C2355723C3D3218DDA5593A@EA-EXMSG-C332.europe.corp.microsoft.com> <200810071109.m97B9vFl011461@fs4113.wdf.sap.corp>
MIME-Version: 1.0
In-Reply-To: <200810071109.m97B9vFl011461@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.13 (2006-08-11)
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2025367568=="
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
On Tue, Oct 07, 2008 at 01:09:57PM +0200, Martin Rex wrote: > > As long as I can use, some or all, of the provided certificates > > to construct a valid path, and I'm willing to undertake the effort > > to do so, then it would be quite senseless to force me to reject that path. > > I wouldn't be surprised if some implementations of PKI would follow AIA > while building a chain from an incomplete unordered set. Indeed. Not sure what this has to do with the ordered/unordered discussion, though, but Microsoft's CryptoAPI does that in certain cases (luckily, not always), see http://www.cynops.de/techzone/http_over_x509.html > *I* certainly would not want *my* servers to do that. They turned that off in the server case, I still don't like the idea of clients sending arbitrary HTTP requests in response to some SPAM mail. While we have someone from Microsoft on the thread - any ideas on when this will be fixed - I reported it more than 6 months ago now and haven't heard back from MSRC? Cheers, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Verifying X.509 Certificate Chains out of o… Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Rob Dugal
- Re: [TLS] Verifying X.509 Certificate Chains out … Dr Stephen Henson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Steven M. Bellovin
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Mike
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Axel.Heider
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Alexander Klink
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Sylvester
- Re: [TLS] Verifying X.509 Certificate Chains out … Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Sylvester
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Steven M. Bellovin
- [TLS] Antwort: Re: Verifying X.509 Certificate Ch… Axel.Heider
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Ben Laurie
- Re: [TLS] Verifying X.509 Certificate Chains out … Ben Laurie
- Re: [TLS] Verifying X.509 Certificate Chains out … Jeffrey A. Williams
- Re: [TLS] Verifying X.509 Certificate Chains out … Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Yoav Nir
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Nelson B Bolyard
- Re: [TLS] Verifying X.509 Certificate Chains out … Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out … Alexander Klink