On Wed, Aug 26, 2015 at 02:11:01PM -0700, Joseph Salowey wrote:
> It looks like we have good consensus on PR 169 to relax certificate list
> ordering requirements. I had one question on the revised text. I'm
> unclear on the final clause in this section:
>
> "Because certificate validation requires that trust anchors be distributed
> independently, a self-signed certificate that specifies a trust anchor MAY
> be omitted from the chain, provided that supported peers are known to
> possess any omitted certificates they may require."
>
> I just want to make sure there isn't the intention of omitting certificates
> that are not seif-signed.
There is no such intention, the new text in question expands on
existing text in previous versions of TLS that specifically blesses
omission of self-signed issuers. Such omission is no longer
universally applicable, since with DANE-TA(2) for example, even
self-signed issuers MUST be included in the server chain.
https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-5.2.2
So the intent here is to hedge the circumstances under which chain
elements are ommitted. This is not an attempt to bless further
chain optimization. What's new here is the "provided that ...".
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
