Jim Schaad replied:
> Martin Rex replied:
>> Jim Schaad wrote:
>> >
>> > If there is only one possible certification path then there is no
>> > difference between caching just the EE certificate and caching the
>> > entire chain. However in the event that multiple certificate paths
>> > are possible there may be a difference in behavior.
>>
>> Nope, not for what is specified in server-id-check.
>>
>> At most, the client would have to memorize along with the server cert
>> whether regular certificate path validation worked for this cached cert.
>> Any changes to the path (above the server cert) will either make the cert
>> path validation fail or be security-irrelevant--entirely without caching
>> and comparing chain certs above the cached/pinned server cert.
>
> There is no need to remember that path validation has passed or failed - by
> definition it has passed or you would never even get here. The document
> does not "permit" the case of using a certificate if path validation has
> failed.
Agreed.
Perhaps we could make this more clear in sections "1.3. Applicability" and
"1.4.2. Out of Scope".
=JeffH
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
