Re: [TLS] Record layer corner cases
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] Record layer corner cases
You argue that a TLS receiver should go out of its way to
build a second, longer path that contains the root certificate:
2) TA -> Root -> CA -> EE
Correct. SSLv3 (and probably TLS as well) supports only a straight
forward certification path, and if the local trust anchor happens
to be the rootCA cert, then I think it is correct to check that
rootCA cert during path validation in case the peer sends it.
My certificate store (which contains all the trusted certificates)
is indexed based on the DER encoding of the certificates, so if a
server includes a root certificate in its certification path, it
is easily determined to be a trust anchor. So in my case TA ==
Root and you are left with TA -> CA -> EE.
However, this discussion pointed out that I was checking the
expiration date of the trust anchor, which apparently is not the
right thing to do, so I just eliminated that check.
Mike
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
