Re: [TLS] Consensus call for certificate URL extension

To: tls at ietf.org
Subject: Re: [TLS] Consensus call for certificate URL extension
From: Mike <mike-list at pobox.com>
Date: Tue, 23 Sep 2008 11:03:02 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <48D929AB.7030807 at gnutls.org>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE5069401B0 at xmb-sjc-225.amer.cisco.com> <48D929AB.7030807 at gnutls.org>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

We need to close this open issue.  I think there are two basic options
that address the security issues that have been raised:

A) Deprecate the current extension and create a similar new extension
with the hash mandatory.

B) Make the hash mandatory in the current extension.  This should not
cause deployment problems because there are no known deployments that
make the hash optional.


The problem with either of these options is that it gives the impression
that adding the hash improves security.  As I mentioned before, if all a
client does to determine the hash is download the certificate and compute
its value, then it may just be validating a bogus certificate.

Making the hash mandatory prevents a client from effectively saying, "I
have no idea if the certificate you are about to download is valid."  It
would be much better to leave the hash as optional and to add that a
client MUST NOT send a hash unless it has been configured with it by some
other means.

Mike
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Consensus call for certificate URL extension
  - From: Martin Rex
- Re: [TLS] Consensus call for certificate URL extension
  - From: Yoav Nir

References:
- [TLS] Consensus call for certificate URL extension
  - From: Joseph Salowey (jsalowey)
- Re: [TLS] Consensus call for certificate URL extension
  - From: Nikos Mavrogiannopoulos

Prev by Date: Re: [TLS] Consensus call for certificate URL extension
Next by Date: [TLS] draft-rescorla-tls-suiteb-06.txt
Previous by thread: Re: [TLS] Consensus call for certificate URL extension
Next by thread: Re: [TLS] Consensus call for certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Consensus call for certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.