Re: [TLS] Verifying X.509 Certificate Chains out of order

To: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Dr Stephen Henson <lists at drh-consultancy.demon.co.uk>
Date: Mon, 06 Oct 2008 13:06:31 +0100
Cc: simon at josefsson.org, tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <E1Kmme1-0007As-9b at wintermute01.cs.auckland.ac.nz>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <E1Kmme1-0007As-9b at wintermute01.cs.auckland.ac.nz>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.17 (Windows/20080914)

Peter Gutmann wrote:
> Simon Josefsson <simon at josefsson.org> writes:
> 
>> It is claimed that OpenSSL, IE and Firefox does not enforce the second
>> MUST in the paragraph above, and succeeds in verifying an
>> out-of-sequence chain.  I haven't verified the claim.  It appears as if
>> the OpenSSL developers don't consider their behaviour as a bug (see
>> reply below).
> 
> Add cryptlib to the list of implementations that don't care about the order. 
> In fact I'd be kinda surprised if anyone (well, apart from GnuTLS) cared about 
> cert order.
> 

OpenSSL does verify chains out of order and indeed incomplete chains if
appropriate certificates are trusted.

I would say though that particular server is misconfigured.

>> What are others opinion on this?  I'm looking for some guidance on
>> whether we should modify our current behaviour.
> 
> I'd say modify it, in fact I'm not sure what the rationale for requiring 
> ordering was in the original spec, "it's tidier that way" doesn't strike me as 
> a good argument :-).
> 

This raises a point I've wondered about for a while... Various PKIX
standards allow more than one chain between a root and EE certificate
(cross certification et al) so the (possibly almost) complete one a
server presents may not be the one a client will trust. CRLs can have
distinct paths too.

The wording in the specs (to me at least) implies one unique validation
path.

The CMS standards for example don't have the ordering requirement they
merely allow a set of "useful certificates" which may contain more or
less certificates than necessary to build a chain.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson at drh-consultancy.co.uk, PGP key: via homepage.

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Peter Gutmann

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Peter Gutmann

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.