On Thu, Oct 22, 2015 at 10:30:33AM -0700, Martin Thomson wrote:
> > % a certificate that specifies a trust anchor MAY be omitted from the chain
> >
> > The client cannot decide that the signature on the root cert the server
> > sent is bad, if the server does not send the root cert.
>
> Yes, that was my thinking.
>
> I expect that if a certificate is sent, then it might have to be
> checked. As opposed to the roots, which are rarely sent or checked.
The roots are sent more frequently than you imagine. With DANE-TA(2)
they MUST be sent if the server's TLSA record nominates a self-signed
trust-anchor. Further-more, OpenSSL sends whatever the administrator
puts in the server "chain file", it would be wrong for it to
selectively delete the configured certificates, and many systems
include the root CA in the chain file.
> Maybe it would help if Victor could describe the situation in which he
> thinks that it would be appropriate to send a certificate that is
> signed by MD5.
The CAcert.org root is self-signed with MD5 and is sent as part of
the chain by various systems. This self-signature is harmless,
but some systems pedantically disrupt the handshake in response.
For example, some Postfix clients are configured with CAcert.org
client cert chains, and provide client certs to the
mail.protection.outlook.com MTAs which then force a downgrade to
cleartext by refusing to continue the handshake.
The refusal to accept an MD5 self-signature is pedantic security
degradation.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
