Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
Fabrice Gautier <fabrice.gautier@gmail.com> Tue, 12 May 2015 23:04 UTC
Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBCA61B29BE for <tls@ietfa.amsl.com>; Tue, 12 May 2015 16:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vu3_Z3TyA8Kl for <tls@ietfa.amsl.com>; Tue, 12 May 2015 16:04:26 -0700 (PDT)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 231641B29C0 for <tls@ietf.org>; Tue, 12 May 2015 16:04:26 -0700 (PDT)
Received: by obcus9 with SMTP id us9so17124931obc.2 for <tls@ietf.org>; Tue, 12 May 2015 16:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=KZavZjuGT5oNGWpIWTnKcHSSYW/Kcia8LSIW1LnY6rU=; b=BcTqSJBzlu5DAL/xlIbeVxXiGB54hSL0vD4PXX6BXBA3NJv8xf/V24w437LwoDQhxH uODLu793ZLcjdRZLkjGrD0KnRnpCGaQ0OokH8B2bYBpo62MonCnqqMU7Z+sfyTaHMTQz UI4X3yiixl8MPRa3TFvFqgjXCEVQe9bPcECFEqQ+VndwQhW9PzbdI73r4Q8/Ec2lXrd/ kkU+4ette6fiMyiEC6E0WZyb0q+VEROB9w3ImUDrXlUj/pdNY8a970piQ0liXGtQ8FYi IwDbuC6HZi1Tb/tQwLcMk3+esmbjzRwm2LAV8b2DBQjVDWnzRNuNImEAS7+Z8nDnZzN+ D1Lw==
X-Received: by 10.202.49.77 with SMTP id x74mr13219028oix.86.1431471865538; Tue, 12 May 2015 16:04:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.213.206 with HTTP; Tue, 12 May 2015 16:04:05 -0700 (PDT)
In-Reply-To: <CACsn0ckKb7MW6RPdk5Dks+kqkXf37ey0SucZ4TTPXz0Pe5F5RA@mail.gmail.com>
References: <91953cbbfb330a83faad8f7115a20a5a.squirrel@webmail.dreamhost.com> <20150512131453.083471B2EB@ld9781.wdf.sap.corp> <CACsn0ckKb7MW6RPdk5Dks+kqkXf37ey0SucZ4TTPXz0Pe5F5RA@mail.gmail.com>
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Tue, 12 May 2015 16:04:05 -0700
Message-ID: <CANOyrg9_pRsTcxuq7XTqZ7fsPQNX3FO-+zen5bV62FAmF8YDVA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qpTN2C7xSu_G0SIMpuk7KvJtTaQ>
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 23:04:27 -0000
On Tue, May 12, 2015 at 6:58 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Tue, May 12, 2015 at 6:14 AM, Martin Rex <mrex@sap.com> wrote: >> Ryan Sleevi wrote: >>> >>> 1) I think clients, such as Martin's, that implement normative checking of >>> ordering and are used for the Internet at large (e.g. between servers and >>> clients that are not controlled by a single entity) are bad for Internet >>> security. >> >> Huh? I never described anything like that "normative checking". >> >> My client simply feeds the certificate chain from the TLS Certificate >> handshake message, up to an issure that is recognized as trust anchor >> directly into the certificate path validation function (rfc5280, >> section 6.1) just like rfc5246 and rfc5280 _designed_ this to be. > > How does the server know which trust anchors will be accepted, > particularly in cases involving cross-validation? Isn't that the purpose of the "Trusted CA Indication" extension in RFC 6066 ? I don't know of anything implementing it though.... -- Fabrice
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Andrei Popov
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ben Laurie
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Watson Ladd
- Re: [TLS] [tls13-spec] relax certificate_list ord… Nikos Mavrogiannopoulos
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Daniel Kahn Gillmor
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Fabrice Gautier
- Re: [TLS] [tls13-spec] relax certificate_list ord… Brian Smith
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Peter Gutmann
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex