Re: [TLS] Consensus call for certificate URL extension

To: magnus at rsa.com (Magnus Nyström)
Subject: Re: [TLS] Consensus call for certificate URL extension
From: Martin Rex <Martin.Rex at sap.com>
Date: Thu, 25 Sep 2008 21:50:05 +0200 (MEST)
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <Pine.WNT.4.64.0809251503200.7968 at W-JNISBETTEST-1.tablus.com> from "Magnus Nyström" at Sep 25, 8 03:10:03 pm
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com
Sender: tls-bounces at ietf.org

=?iso-8859-1?Q?Magnus_Nystr=F6m?= wrote:
> 
> I do not know if this extension still has value or not, but as one of the 
> authors of the original RFC 3546, I just wanted to provide some background 
> ...
> 
> This extension came about a long time ago when the WAP Forum (today: Open 
> Mobile Alliance) was looking at introducing support for TLS in their 
> architecture. Given bandwidth-constraints in the mobile networks at the 
> time, it made sense to devise a way for clients to not having to send 
> their certificates (or chains) but rather have the servers pick them up 
> somewhere. Clearly, today's networks are more capable.

Avoiding XML where it isn't necessary will save magnitudes more than
an average SSL client cert (except maybe for CAs that abuse certs
as digital junkyards), and SSL session caching will not only save
bandwidth, but also computing power, especially on thin clients.

The client should not need to send any chain certificates besides
its own End-Entity (EE) cert if the CA which signed the clients EE cert
has been announced by the server in the certificate_authorities
list of the CertificateRequest message.

We should have fixed the wording of the TLS specs 1.0/1.1/1.2 
in this regard...  The certificate_list is originally defined in
7.4.2 in the Server Certificate message--where the server doesn't
know anything about the trust anchors known to the client and
therefore sending the entire chain is appropriate.

The structure is then referenced/reused in 7.4.6. Client Certificate,
but it fails to account for the fact that the client has been sent
a list of acceptable trust anchors by the Server in the CertificateRequest
message and ought therefore be perfectly capable to verify a reduced
chain up to one of the announced trust anchors from the
certificate_authorities list, not only a full chain up to a self-signed root.

-Martin
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Consensus call for certificate URL extension
  - From: Magnus Nyström

Prev by Date: [TLS] I-D Action:draft-ietf-tls-psk-new-mac-aes-gcm-03.txt
Next by Date: Re: [TLS] Fwd: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC
Previous by thread: Re: [TLS] Consensus call for certificate URL extension
Next by thread: Re: [TLS] Consensus call for certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Consensus call for certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.