On Thu, Aug 27, 2015 at 01:22:33PM -0400, Santosh Chokhani wrote:
> To me it seems that both of these wordings could be interpreted by someone
> that if you do not have a trust anchor and you get it in the TLS handshake,
> you can use it and trust it.
>
> That sounds dangerous.
Beyond a general "there's no such thing as fool-proof", I don't
see how such an interpretation might be arrived at.
Trust-anchors are both frequently sent and frequently not sent in
the TLS handshake. The new text just says that it may be acceptable
to omit them, but sometimes clients need the trust-anchor certificate
to be sent, because they verify it by fingerprint or similar, and
don't have a (complete) local copy.
The text is fine.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
