Thanks Viktor, I missed this part of the discussion. The text looks fine to me as is.
Joe On Wed, Aug 26, 2015 at 2:50 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > On Wed, Aug 26, 2015 at 02:11:01PM -0700, Joseph Salowey wrote: > > > It looks like we have good consensus on PR 169 to relax certificate list > > ordering requirements. I had one question on the revised text. I'm > > unclear on the final clause in this section: > > > > "Because certificate validation requires that trust anchors be > distributed > > independently, a self-signed certificate that specifies a trust anchor > MAY > > be omitted from the chain, provided that supported peers are known to > > possess any omitted certificates they may require." > > > > I just want to make sure there isn't the intention of omitting > certificates > > that are not seif-signed. > > There is no such intention, the new text in question expands on > existing text in previous versions of TLS that specifically blesses > omission of self-signed issuers. Such omission is no longer > universally applicable, since with DANE-TA(2) for example, even > self-signed issuers MUST be included in the server chain. > > https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-5.2.2 > > So the intent here is to hedge the circumstances under which chain > elements are ommitted. This is not an attempt to bless further > chain optimization. What's new here is the "provided that ...". > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
