Re: [TLS] Verifying X.509 Certificate Chains out of order

To: tls at ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Alexander Klink <a.klink at cynops.de>
Date: Tue, 7 Oct 2008 15:48:05 +0200
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <200810071109.m97B9vFl011461 at fs4113.wdf.sap.corp>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <9F11911AED01D24BAA1C2355723C3D3218DDA5593A at EA-EXMSG-C332.europe.corp.microsoft.com> <200810071109.m97B9vFl011461 at fs4113.wdf.sap.corp>
Sender: tls-bounces at ietf.org
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Oct 07, 2008 at 01:09:57PM +0200, Martin Rex wrote:
> > As long as I can use, some or all, of the provided certificates
> > to construct a valid path, and I'm willing to undertake the effort
> > to do so, then it would be quite senseless to force me to reject that path.
> 
> I wouldn't be surprised if some implementations of PKI would follow AIA
> while building a chain from an incomplete unordered set.

Indeed. Not sure what this has to do with the ordered/unordered
discussion, though, but Microsoft's CryptoAPI does that in certain cases
(luckily, not always), see
http://www.cynops.de/techzone/http_over_x509.html

> *I* certainly would not want *my* servers to do that.

They turned that off in the server case, I still don't like the idea of
clients sending arbitrary HTTP requests in response to some SPAM mail.

While we have someone from Microsoft on the thread - any ideas on when
this will be fixed - I reported it more than 6 months ago now and
haven't heard back from MSRC?

Cheers,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Stefan Santesson
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Martin Rex

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.