[Ach] Fwd: [TLS] Certificate validation can of worms
Aaron Zauner
azet at azet.org
Sat Apr 5 18:31:56 CEST 2014
-------- Original Message --------
Subject: [TLS] Certificate validation can of worms
Date: Fri, 4 Apr 2014 18:35:52 -0700
From: Watson Ladd <watsonbladd at gmail.com>
To: tls at ietf.org <tls at ietf.org>
Dear all,
https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf contains tests of
many TLS implementations. Interestingly all tested implementations
contain errors, and all but OpenSSL erroneous accepts. Cryptlib was
not tested, because it doesn't validate certificates.
At the core of these issues is the complexity of certificate
validation. Things for this committee to consider:
1: How will DANE make this worse?
2: Is this really the best we can do? What features of X509 led to
these problems?
3: This focused on server authentication. How does client authentication
fare?
4: Did this actually cover everything?
Sincerely,
Watson Ladd
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140405/0c31ebc7/attachment.sig>
More information about the Ach
mailing list