Re: [TLS] Verifying X.509 Certificate Chains out of order

[Alexander Klink <a.klink@cynops.de>]

On Tue, Oct 07, 2008 at 01:09:57PM +0200, Martin Rex wrote:
> > As long as I can use, some or all, of the provided certificates
> > to construct a valid path, and I'm willing to undertake the effort
> > to do so, then it would be quite senseless to force me to reject that path.
> 
> I wouldn't be surprised if some implementations of PKI would follow AIA
> while building a chain from an incomplete unordered set.

Indeed. Not sure what this has to do with the ordered/unordered
discussion, though, but Microsoft's CryptoAPI does that in certain cases
(luckily, not always), see
http://www.cynops.de/techzone/http_over_x509.html

> *I* certainly would not want *my* servers to do that.

They turned that off in the server case, I still don't like the idea of
clients sending arbitrary HTTP requests in response to some SPAM mail.

While we have someone from Microsoft on the thread - any ideas on when
this will be fixed - I reported it more than 6 months ago now and
haven't heard back from MSRC?

Cheers,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink@cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls