To me it seems that both of these wordings could be interpreted by someone that if you do not have a trust anchor and you get it in the TLS handshake, you can use it and trust it.
That sounds dangerous. -----Original Message----- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Dave Garrett Sent: Wednesday, August 26, 2015 5:42 PM To: tls@ietf.org Subject: Re: [TLS] Consensus on PR 169 - relax certificate list requirements On Wednesday, August 26, 2015 05:11:01 pm Joseph Salowey wrote: > It looks like we have good consensus on PR 169 to relax certificate > list ordering requirements. I had one question on the revised text. > I'm unclear on the final clause in this section: > > "Because certificate validation requires that trust anchors be > distributed independently, a self-signed certificate that specifies a > trust anchor MAY be omitted from the chain, provided that supported > peers are known to possess any omitted certificates they may require." > > I just want to make sure there isn't the intention of omitting > certificates that are not seif-signed. Well, technically anything can be omitted; it just won't validate. :p I'm not opposed to tweaking the wording here, but I don't really see it as a problem. If someone does, though, that's reason enough for me to agree to changing it. Simplest change is: "any omitted certificates they may require" -> "it" \/ "Because certificate validation requires that trust anchors be distributed independently, a self-signed certificate that specifies a trust anchor MAY be omitted from the chain, provided that supported peers are known to possess it." Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
