Re: [TLS] Verifying X.509 Certificate Chains out of order

To: "Steven M. Bellovin" <smb at cs.columbia.edu>
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: "Ben Laurie" <benl at google.com>
Date: Sun, 12 Oct 2008 21:28:41 +0100
Cc: Simon Josefsson <simon at josefsson.org>, tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1223843325; bh=DftLLJ1JzSBklWijyblp4UuOgGs=; h=DomainKey-Signature:Message-ID:Date:From:To:Subject:Cc: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-Disposition:References; b=bLcspIQHOJHNLJJn+XfoubW60IwC+62Q sU7hB9UF/NIosDWvCIBz+hwoFxgKF8G/MucIbRm1sFF6gOZ4hkb1og==
Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=message-id:date:from:to:subject:cc:in-reply-to: mime-version:content-type:content-transfer-encoding: content-disposition:references; b=wNadjTp/BpvVcmhTchsdyn/MKFyXr6ZTZJAHIhsPTpjWX2Mi/3bxFGyDcjWBnFexB U7CeVF0pbz11aY/Zj19iQ==
In-reply-to: <20081006113354.69029a62 at cs.columbia.edu>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1223034323.30303.29.camel at localhost> <877i8pk772.fsf at mocca.josefsson.org> <1223281251.12502.74.camel at localhost> <87abdit8c2.fsf_-_ at mocca.josefsson.org> <20081006144152.5B9596B57F6 at kilo.rtfm.com> <20081006113354.69029a62 at cs.columbia.edu>
Sender: tls-bounces at ietf.org

On Mon, Oct 6, 2008 at 4:33 PM, Steven M. Bellovin <smb at cs.columbia.edu> wrote:
> On Mon, 06 Oct 2008 07:41:52 -0700
> Eric Rescorla <ekr at networkresonance.com> wrote:
>
>> I think there are two separate issues here:
>>
>> (1) Whether implementations should be required to send certificates
>>     in a specific order.
>> (2) Whether implementations should generate an error if they are
>>     received in another order.
>>
> "Be conservative in what you send; be liberal in what you accept."

I thought we'd given up on that as a useful generalisation since it
introduces security problems in some circumstances, for example HTTP
header stuffing. Which is not to say I am opposed to this particular
change, but that adage is an entirely insufficient justification.
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Jeffrey A. Williams

References:
- [TLS] Verifying X.509 Certificate Chains out of order
  - From: Simon Josefsson
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Eric Rescorla
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Steven M. Bellovin

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.