IETF Logo Mail Archive

Re: [TLS] Consensus on PR 169 - relax certificate list requirements

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 26 August 2015 21:50 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2529F1B3354 for <tls@ietfa.amsl.com>; Wed, 26 Aug 2015 14:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LO_qt0oo2-s for <tls@ietfa.amsl.com>; Wed, 26 Aug 2015 14:50:25 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D561B3345 for <tls@ietf.org>; Wed, 26 Aug 2015 14:50:25 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 15E5C284D24; Wed, 26 Aug 2015 21:50:24 +0000 (UTC)
Date: Wed, 26 Aug 2015 21:50:23 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150826215023.GF9021@mournblade.imrryr.org>
References: <CAOgPGoAPCXkzc=01_+FPSJcxV8vEQmBUYNGYaWMdKpSGU0M0Lg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAOgPGoAPCXkzc=01_+FPSJcxV8vEQmBUYNGYaWMdKpSGU0M0Lg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pOMhwxVvgcEX6uALRaaM-ZUxKc4>
Subject: Re: [TLS] Consensus on PR 169 - relax certificate list requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 21:50:30 -0000

On Wed, Aug 26, 2015 at 02:11:01PM -0700, Joseph Salowey wrote:

> It looks like we have good consensus on PR 169 to relax certificate list
> ordering requirements.  I had one question on the revised text.  I'm
> unclear on the final clause in this section:
> 
> "Because certificate validation requires that trust anchors be distributed
> independently, a self-signed certificate that specifies a trust anchor MAY
> be omitted from the chain, provided that supported peers are known to
> possess any omitted certificates they may require."
> 
> I just want to make sure there isn't the intention of omitting certificates
> that are not seif-signed.

There is no such intention, the new text in question expands on
existing text in previous versions of TLS that specifically blesses
omission of self-signed issuers.  Such omission is no longer
universally applicable, since with DANE-TA(2) for example, even
self-signed issuers MUST be included in the server chain.

    https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-5.2.2

So the intent here is to hedge  the circumstances under which chain
elements are ommitted.  This is not an attempt to bless further
chain optimization.  What's new here is the "provided that ...".

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email