Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 20 May 2015 22:27 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F361ABB19 for <tls@ietfa.amsl.com>; Wed, 20 May 2015 15:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZKaViAqTl49 for <tls@ietfa.amsl.com>; Wed, 20 May 2015 15:27:31 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0109.outbound.protection.outlook.com [65.55.169.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D397E1A9301 for <tls@ietf.org>; Wed, 20 May 2015 15:27:30 -0700 (PDT)
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1393.namprd03.prod.outlook.com (10.163.81.14) with Microsoft SMTP Server (TLS) id 15.1.166.22; Wed, 20 May 2015 22:27:29 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0166.017; Wed, 20 May 2015 22:27:28 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi
Thread-Index: AdCSLOLGJVnE1j84SD6Bm7bXqoznGwAJP6uQAAXX/AAAODgicA==
Date: Wed, 20 May 2015 22:27:28 +0000
Message-ID: <BLUPR03MB1396D12DBD3232776CF85AFF8CC20@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <BLUPR03MB1396B22C6722C0C9CD9376138CC30@BLUPR03MB1396.namprd03.prod.outlook.com> <20150519192316.74DA91B310@ld9781.wdf.sap.corp>
In-Reply-To: <20150519192316.74DA91B310@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:ed31::5]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1393; 3:eTaidhdUlv/gfroOpNWtLDovF32etpzsWcj2kA+sZZi4VgFvb/AFC2QXU4tOICngUHVkeTcKdRQ22sKmhpHpKhT+rAvyC2regcpm7UyTBJ/P7XFMJZMiMRL/Dm8/pi31wOOdZfnTv4JCoSYDHsdIbQ==; 10:zw0WY58mkwN368P+kZWma50pyaj7Ja/TX2U2+JkQ02QRnCRsmmGDHnHNf5CZXa7pnjJ7OyyLa4p2TazE4NhEFZ8yChZql2ELUHB2cJsbxog=; 6:rPhTKnmiTRaJhOe6dgrpnGLBrs6+5KGuPs+9c4M7LX6Zmb4m9b5iBrSUWdl+vuts
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1393;
x-microsoft-antispam-prvs: <BLUPR03MB1393F8256909A11CB83BF5918CC20@BLUPR03MB1393.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1393; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1393;
x-forefront-prvs: 0582641F53
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(54094003)(189002)(377454003)(199003)(13464003)(24454002)(51704005)(54356999)(76176999)(50986999)(68736005)(64706001)(5001860100001)(99286002)(5001830100001)(2950100001)(2900100001)(15975445007)(102836002)(77096005)(86362001)(76576001)(2351001)(106356001)(2501003)(5001960100002)(110136002)(86612001)(77156002)(62966003)(122556002)(189998001)(40100003)(19580405001)(87936001)(33656002)(2656002)(46102003)(74316001)(101416001)(19580395003)(5001920100001)(92566002)(105586002)(81156007)(97736004)(4001540100001)(7059030)(219693003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1393; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2015 22:27:28.0502 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1393
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mZgNosQ2DZGkxNVRAplGpaJpxvY>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 22:27:32 -0000

This isn't about a specific TLS implementation. As Ryan explained (http://www.ietf.org/mail-archive/web/tls/current/msg16238.html), servers today have to deviate from the certificate_list ordering requirements for a variety of practical reasons. Clients can't take advantage of these requirements, because servers violate them. So if neither clients nor servers can in practice implement this RFC language, why don't we drop it?

Cheers,

Andrei

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com] 
Sent: Tuesday, May 19, 2015 12:23 PM
To: Andrei Popov
Cc: Peter Gutmann; <tls@ietf.org>;
Subject: Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)) I wonder if anyone is reading the full subject line or does it just get truncated at some poi

Peter Gutmann wrote:
> Dave Garrett <davemgarrett@gmail.com>; writes:
> 
> >Who else is in favor or against, at the moment?
> 
> I'm in favour of relaxing the requirements to match real-world practice.


Andrei Popov wrote:
>
> +1. Since we're not going to change implementations to conform
> to the current strict requirements (because it would have been a 
> breaking change), we can as well relax the requirements.


Please do not mess this up *again* -- and clearly sort out where you see any requirements that you feel are a problem.


The existing text does not place *ANY* requirement on what the client may accept.  The requirements are exclusively about what the server is required to send.

Andrei:  Is it possible to make Microsoft SChannel send arbitrary heaps of certificates in the Server Certificate handshake message?  If yes, how is it exactly configured what junk in what order gets sent?

Or were you actually thinking about client behaviour -- where the existing text does not (and never intended to) place any specific behaviour.


-Martin