Re: [TLS] Record layer corner cases

To: DPKemp at missi.ncsc.mil (Kemp David P.)
Subject: Re: [TLS] Record layer corner cases
From: Martin Rex <martin.rex at sap.com>
Date: Mon, 27 Nov 2006 18:12:09 +0100 (MET)
Cc: tls at ietf.org
In-reply-to: <FA998122A677CF4390C1E291BFCF5989060658B9@EXCH.missi.ncsc.mil> from "Kemp, David P." at Nov 27, 6 10:45:14 am
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Kemp, David P. wrote:
> 
> There is no misbehavior involved at all, and no reason to
> complain to VeriSign about any dates contained in a rootCA
> certificate.  In fact, VeriSign could have made the nature
> of trust anchor information more explicitly obvious if they
> had stuck in a validity period of Jan 1, 1900 0000Z -
> Jan 1, 1900 0000Z.  Including nonsense in the certificate
> fields that are not part of a trust anchor makes it obvious
> that the certificate is just a data structure that is being
> re- (or mis-)used to convey trust anchor information.

I do not mind about not checking validity dates (or even signatures)
on trust anchors.  But when an X.509 certficates is sent as part of
a certification path, then it is not a trust anchor, but instead
a regular certificate -- and therefore MUST be a correct certificate
(or not be sent in a certification path!).

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Record layer corner cases
  - From: Kemp, David P.

References:
- RE: [TLS] Record layer corner cases
  - From: Kemp, David P.

Prev by Date: RE: [TLS] compression
Next by Date: RE: [TLS] Record layer corner cases
Previous by thread: RE: [TLS] Record layer corner cases
Next by thread: RE: [TLS] Record layer corner cases
Index(es):
- Date
- Thread

Re: [TLS] Record layer corner cases

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.