RE: [TLS] Record layer corner cases

["Kemp, David P." <DPKemp at missi.ncsc.mil>]

Or did they consciously implement the X.509v4 behavior before it was
documented in X.509v4 because they intuitively understood that it
was the right way to handle TAs?  And that the section on TA handling
wasn't just dreamed up by PKI fanciers divorced from reality, but was
added based on the expertise of, and problems encountered by, real
developers?

In a mesh PKI environment, one might want to establish trust anchors
at nodes where no self-issued certificates have ever been created and
where less than the entire content of a normal CA certificate is
appropriate across all RPs.  TAs deal with that fact by designating
name and key as the only essential information; all else goes in
the bin labeled "out of band".

I suppose a zillion monkeys might produce Shakespeare, but it's
highly improbable that computer code from multiple sources works
correctly by coincidence.  

Dave


-----Original Message-----
From: pgut001 [mailto:pgut001 at cs.auckland.ac.nz] 
Sent: Tuesday, November 28, 2006 11:01 PM
To: Kemp, David P.; pgut001 at cs.auckland.ac.nz
Cc: tls at lists.ietf.org
Subject: RE: [TLS] Record layer corner cases

"Kemp, David P." <DPKemp at missi.ncsc.mil> writes:

>Apparently, the browser vendors referred to below have been busy
tearing down
>and rebuilding.

More likely they never checked in the first place, and this just appears
to
work by coincidence.  Perhaps we could ask the browser folks, a few of
them
read this list: Did you consciously implement the X.509v4 changes to
trust
anchor handling in your code within the last year or two?

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls