Re: [TLS] Verifying X.509 Certificate Chains out of order

To: tls at ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Mike <mike-list at pobox.com>
Date: Mon, 06 Oct 2008 15:57:29 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <200810061909.m96J9axT010938 at fs4113.wdf.sap.corp>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200810061909.m96J9axT010938 at fs4113.wdf.sap.corp>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

It is a big waste to sort and sort and sort the list each time
it is processed.  The one who is persisting the data (credential holder)
can sort it once and for all.


As another data point, my software will first attempt to validate the
certificate chain in the order it was received, but if it finds that
one certificate did not issue the previous one, it then attempts to
put them in the correct order and revalidate the chain.

I had to do this sometime last year because I couldn't connect to one
of the major credit card companies' websites with my own software, but
my browsers were able to.  An additional problem with that site was
their CRL was PEM encoded!

As has been said, be liberal in what you accept....

Mike
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Martin Rex

Prev by Date: Re: [TLS] draft-ietf-tls-rfc4366-bis-03.txt & SHA-1
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.