Re: [TLS] Comments on RFC-4346
Martin Rex <martin.rex@sap.com> Tue, 24 October 2006 20:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GcT6M-0000Uh-7g; Tue, 24 Oct 2006 16:42:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GcT6K-0000UP-Pk for tls@ietf.org; Tue, 24 Oct 2006 16:42:20 -0400
Received: from smtpde01.sap-ag.de ([155.56.68.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GcT6J-0003rz-DM for tls@ietf.org; Tue, 24 Oct 2006 16:42:20 -0400
Received: from sap-ag.de (smtpde01) by smtpde01.sap-ag.de (out) with ESMTP id WAA23579; Tue, 24 Oct 2006 22:42:12 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200610242042.WAA15485@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Comments on RFC-4346
To: jnordqvist@lucent.com
Date: Tue, 24 Oct 2006 22:42:13 +0200
In-Reply-To: <453E6CD6.8010100@lucent.com> from "Jan Nordqvist" at Oct 24, 6 12:43:18 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d6b246023072368de71562c0ab503126
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Jan Nordqvist wrote: > > 3. The definition of the CertificateRequest message specifies > certificate_types and certificate_authorities as criteria for > requesting certificates, but there is no mentioning how the two > sets of values are used to select a certificate, i.e. is a > certificate qualified if it matches only one of the sets or does > it have to qualify to both. A very large installed base of SSLv3/TLSv1.0 seems to entirely ignore certificate_types for the selection (the vendor forgot to expose this information at the low level APIs, so the callers above it, e.g. Web Browser, can not use it for selecting the certificate). Let's hope that CA's are careful when issuing CA certificates, and do not use the exact same Subject DName but differing keys (different in type, size or even just different bits). -Martin _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on RFC-4346 Jan Nordqvist
- Re: [TLS] Comments on RFC-4346 EKR
- Re: [TLS] Comments on RFC-4346 Martin Rex