Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169))

Geoffrey Keating <geoffk@geoffk.org> Mon, 18 May 2015 23:49 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E811B2B71 for <tls@ietfa.amsl.com>; Mon, 18 May 2015 16:49:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rWggtN-lSfv for <tls@ietfa.amsl.com>; Mon, 18 May 2015 16:48:58 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEBA21B2B70 for <tls@ietf.org>; Mon, 18 May 2015 16:48:58 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 94BC333D08B; Mon, 18 May 2015 23:48:55 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Dave Garrett <davemgarrett@gmail.com>
References: <201505181900.10185.davemgarrett@gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 18 May 2015 16:48:55 -0700
In-Reply-To: <201505181900.10185.davemgarrett@gmail.com>
Message-ID: <m2h9r9zbtk.fsf@localhost.localdomain>
Lines: 25
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/za7WKFRZKrqBcwiKn401EDcebW8>
Cc: tls@ietf.org
Subject: Re: [TLS] relax certificate_list requirements - opinion call (was Re: [tls13-spec] relax certificate_list ordering requirements to match current practice (#169))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 23:49:00 -0000

Dave Garrett <davemgarrett@gmail.com>; writes:

> https://github.com/tlswg/tls13-spec/pull/169/files
> 
> Of note, see also:
> https://www.ietf.org/mail-archive/web/tls/current/msg16238.html
> 
> The discussion on this list got quite long and at least one person changed their opinion on the topic. I'd like to figure out where we stand on this now.
> 
> The primary people advocating for this are myself and Ryan Sleevi.
> The primary person advocating against this is Martin Rex.
> 
> Who else is in favor or against, at the moment?

I am for it, as it documents existing practice.

> Also, the topic of AIA cert fetching came up, with people both
> arguing for and against.

I believe this is out of scope for TLS; it is not a transport layer
issue.  We should therefore not discuss it in the TLS RFC.  There's
already discussion of some security impacts of AIA in RFC 5280, but
not this particular issue; I think that would be a good place to
mention the issue.