On 08/26/2015 11:42 PM, Dave Garrett wrote: > On Wednesday, August 26, 2015 05:11:01 pm Joseph Salowey wrote: >> It looks like we have good consensus on PR 169 to relax certificate list >> ordering requirements. I had one question on the revised text. I'm >> unclear on the final clause in this section: >> >> "Because certificate validation requires that trust anchors be distributed >> independently, a self-signed certificate that specifies a trust anchor MAY >> be omitted from the chain, provided that supported peers are known to >> possess any omitted certificates they may require." >> >> I just want to make sure there isn't the intention of omitting certificates >> that are not seif-signed. > > Well, technically anything can be omitted; it just won't validate. :p
Firefox completes chains with intermediate certificates it has seen in other certificate chains. This is an endless source of headaches if you use headless clients which do not perform this caching. In this light, MUST NOT automatically complete incomplete chains, except with a trusted root certificate (self-signed or not) might an attractive option. Except that Mozilla could claim its self-learning trust store is just magically growing root certificates in the sense of such a requirement (although such certificates are necessarily intermediate, otherwise it would not be safe to mark them as trusted automatically). -- Florian Weimer / Red Hat Product Security _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
