Re: [TLS] Comments on RFC-4346

Martin Rex <martin.rex@sap.com> Tue, 24 October 2006 20:42 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GcT6M-0000Uh-7g; Tue, 24 Oct 2006 16:42:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GcT6K-0000UP-Pk for tls@ietf.org; Tue, 24 Oct 2006 16:42:20 -0400
Received: from smtpde01.sap-ag.de ([155.56.68.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GcT6J-0003rz-DM for tls@ietf.org; Tue, 24 Oct 2006 16:42:20 -0400
Received: from sap-ag.de (smtpde01) by smtpde01.sap-ag.de (out) with ESMTP id WAA23579; Tue, 24 Oct 2006 22:42:12 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200610242042.WAA15485@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Comments on RFC-4346
To: jnordqvist@lucent.com
Date: Tue, 24 Oct 2006 22:42:13 +0200
In-Reply-To: <453E6CD6.8010100@lucent.com> from "Jan Nordqvist" at Oct 24, 6 12:43:18 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d6b246023072368de71562c0ab503126
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Jan Nordqvist wrote:
> 
>    3. The definition of the CertificateRequest message specifies
>       certificate_types and certificate_authorities as criteria for
>       requesting certificates, but there is no mentioning how the two
>       sets of values are used to select a certificate, i.e. is a
>       certificate qualified if it matches only one of the sets or does
>       it have to qualify to both.

A very large installed base of SSLv3/TLSv1.0 seems to entirely ignore
certificate_types for the selection (the vendor forgot to expose
this information at the low level APIs, so the callers above it,
e.g. Web Browser, can not use it for selecting the certificate).

Let's hope that CA's are careful when issuing CA certificates,
and do not use the exact same Subject DName but differing keys
(different in type, size or even just different bits).

-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls