Re: [TLS] Verifying X.509 Certificate Chains out of order

To: martin.rex at sap.com
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Martin Rex <Martin.Rex at sap.com>
Date: Tue, 7 Oct 2008 13:43:53 +0200 (MEST)
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <200810071109.m97B9vFl011461 at fs4113.wdf.sap.corp> from "Martin Rex" at Oct 7, 8 01:09:57 pm
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com
Sender: tls-bounces at ietf.org

Martin Rex wrote:
> 
> Stefan Santesson wrote:
> > 
> > Just agreeing on the principle that implementers should be forced to
> > send the certificates in order but it definitely must be allowed
> > to accept out of order chains.
> 
> I have absolutely no problem with implementations that accept an
> unordered list.

Thinking about it, what exactly do you mean with unordered?

Since there isn't any additional information in the protocol to
identity the end-entity cert in the certificate_list, that certificate
will have to be the first.  Or does your code really apply heuristics
in locating the end entity cert?

In PKCS#7 there is the the signerinfos (issuer&serial) that make the
search in the unordered and only loosely related CertificateAndCertificates
bag at least deterministic (not purely heuristic).

-Martin
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Eric Rescorla

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Martin Rex

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.