Re: [TLS] Verifying X.509 Certificate Chains out of order

To: Peter Gutmann <pgut001 at cs.auckland.ac.nz>, "simon at josefsson.org" <simon at josefsson.org>, "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Rob Dugal <rdugal at certicom.com>
Date: Mon, 6 Oct 2008 07:57:01 -0400
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <E1Kmme1-0007As-9b at wintermute01.cs.auckland.ac.nz>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <87abdit8c2.fsf_-_ at mocca.josefsson.org> <E1Kmme1-0007As-9b at wintermute01.cs.auckland.ac.nz>
Sender: tls-bounces at ietf.org
Thread-index: AcknmExg6Qk0YMFfSp2JhX75Jb2iKwAEen1w
Thread-topic: [TLS] Verifying X.509 Certificate Chains out of order

Certicom's SSL-C toolkit does verify out of order chains but will generate verification warnings that may be overridden by applications.

> -----Original Message-----
> From: tls-bounces at ietf.org [mailto:tls-bounces at ietf.org] On Behalf Of Peter Gutmann
> Sent: Monday, October 06, 2008 5:45 AM
> To: simon at josefsson.org; tls at ietf.org
> Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
>
> Simon Josefsson <simon at josefsson.org> writes:
>
> >It is claimed that OpenSSL, IE and Firefox does not enforce the second
> >MUST in the paragraph above, and succeeds in verifying an
> >out-of-sequence chain.  I haven't verified the claim.  It appears as if
> >the OpenSSL developers don't consider their behaviour as a bug (see
> >reply below).
>
> Add cryptlib to the list of implementations that don't care about the order.
> In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared about
> cert order.
>
> >What are others opinion on this?  I'm looking for some guidance on
> >whether we should modify our current behaviour.
>
> I'd say modify it, in fact I'm not sure what the rationale for requiring
> ordering was in the original spec, "it's tidier that way" doesn't strike me as
> a good argument :-).
>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Verifying X.509 Certificate Chains out of order
  - From: Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Peter Gutmann

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.