Re: [TLS] Verifying X.509 Certificate Chains out of order

To: simon at josefsson.org, tls at ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Date: Mon, 06 Oct 2008 22:44:49 +1300
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <87abdit8c2.fsf_-_ at mocca.josefsson.org>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org

Simon Josefsson <simon at josefsson.org> writes:

>It is claimed that OpenSSL, IE and Firefox does not enforce the second
>MUST in the paragraph above, and succeeds in verifying an
>out-of-sequence chain.  I haven't verified the claim.  It appears as if
>the OpenSSL developers don't consider their behaviour as a bug (see
>reply below).

Add cryptlib to the list of implementations that don't care about the order. 
In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared about 
cert order.

>What are others opinion on this?  I'm looking for some guidance on
>whether we should modify our current behaviour.

I'd say modify it, in fact I'm not sure what the rationale for requiring 
ordering was in the original spec, "it's tidier that way" doesn't strike me as 
a good argument :-).

Peter.
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Axel . Heider
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Martin Rex
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Dr Stephen Henson
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Rob Dugal

References:
- [TLS] Verifying X.509 Certificate Chains out of order
  - From: Simon Josefsson

Prev by Date: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.