Re: [TLS] Consensus call for certificate URL extension

To: Mike <mike-list at pobox.com>
Subject: Re: [TLS] Consensus call for certificate URL extension
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 23 Sep 2008 22:23:26 +0300
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <48D92F56.2090407 at pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE5069401B0 at xmb-sjc-225.amer.cisco.com> <48D929AB.7030807 at gnutls.org> <48D92F56.2090407 at pobox.com>
Sender: tls-bounces at ietf.org


On Sep 23, 2008, at 9:03 PM, Mike wrote:

The problem with either of these options is that it gives theimpressionthat adding the hash improves security. As I mentioned before, ifall aclient does to determine the hash is download the certificate andcompute
its value, then it may just be validating a bogus certificate.

I would hope that the client downloads the certificate, and verifiesthat the private key that it holds matches the public key in thecertificate before calculating the hash.

Whether the client does or does not hold the certificate, it must holdthe private key.

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Consensus call for certificate URL extension
  - From: Joseph Salowey (jsalowey)
- Re: [TLS] Consensus call for certificate URL extension
  - From: Nikos Mavrogiannopoulos
- Re: [TLS] Consensus call for certificate URL extension
  - From: Mike

Prev by Date: Re: [TLS] Consensus call for certificate URL extension
Next by Date: Re: [TLS] Consensus call for certificate URL extension
Previous by thread: Re: [TLS] Consensus call for certificate URL extension
Next by thread: Re: [TLS] Consensus call for certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Consensus call for certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.