Re: [TLS] Verifying X.509 Certificate Chains out of order

To: martin.rex at sap.com
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Eric Rescorla <ekr at networkresonance.com>
Date: Tue, 07 Oct 2008 07:00:00 -0700
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <200810071143.m97BhrV7013915 at fs4113.wdf.sap.corp>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200810071109.m97B9vFl011461 at fs4113.wdf.sap.corp>
Sender: tls-bounces at ietf.org
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

At Tue, 7 Oct 2008 13:43:53 +0200 (MEST),
Martin Rex wrote:
> 
> Martin Rex wrote:
> > 
> > Stefan Santesson wrote:
> > > 
> > > Just agreeing on the principle that implementers should be forced to
> > > send the certificates in order but it definitely must be allowed
> > > to accept out of order chains.
> > 
> > I have absolutely no problem with implementations that accept an
> > unordered list.
> 
> Thinking about it, what exactly do you mean with unordered?
> 
> Since there isn't any additional information in the protocol to
> identity the end-entity cert in the certificate_list, that certificate
> will have to be the first.  Or does your code really apply heuristics
> in locating the end entity cert?

This is an excellent point. It does seem rather problematic to
have multiple candidate EE certs, especially because in many
cases the SSL stack does not know the peer's expected name.

-Ekr
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Martin Rex

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.