View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004172 | 10000-012: Discovery | Spec | public | 2018-02-27 13:46 | 2018-03-13 20:05 |
Reporter | Matthias Damm | Assigned To | randyarmstrong | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Summary | 0004172: Breaking 1.04 change in TrustListType::AddCertificate | ||||
Description | The original description of TrustListType::AddCertificate states "allows a Client to add a single Certificate to the Trust List". 1.04 added another paragraph to fix an issue where this is not fix for: This breaks all existing applications (clients and servers) and potentially creates a major security issue. In the best case, a server takes the first certificat in the chain and puts it in the requested place (trust or issuer list). In the worst case, a server takes the complete chain and stores it completely in the trust list. I would expect no existing server is implementig the special logic that was added in 1.04. In addition it forces a behaviour that is maybe not what the user wants to do. It would not be possible to put two certificates out of the chain into the trust list and the remaining chain into the issuer list. Instead the client should call AddCertificate for every single certificate in the chain and indicate the expected location. This feature was added for management of self-signed certificates and not for CA signed certificates. For CA signed certificates the TrustList Read/Writer must be used since the reguired CRL cannot be added managed with the Methods (Add/Remove). I strongly recommend to replace the new paragraph with a requirement that every certificate in a chain must be added as single certificate starting from the root. | ||||
Tags | No tags attached. | ||||
Commit Version | |||||
Fix Due Date | |||||
related to | 0004081 | closed | randyarmstrong | How to handle CA certificates with CRLs with AddCertificate/RemoveCertificate. |
|
Agreed to make the change as proposed. Requires 1.04 Errata. |
|
CA certs need to be added one by one starting from root while ignoring missing crls errors. State that CRLs can be updated with the TrustList Write method. Provide a hint that CA certs should be managed with TrustList writes. |
|
Added explanation to 1.05 DRAFT 02. |
|
Agreed to fixes in 1.05 Draft and 1.04 Errata. |
Date Modified | Username | Field | Change |
---|---|---|---|
2018-02-27 13:46 | Matthias Damm | New Issue | |
2018-02-27 13:46 | Matthias Damm | Relationship added | related to 0004081 |
2018-02-27 17:11 | Jim Luth | Assigned To | => randyarmstrong |
2018-02-27 17:11 | Jim Luth | Status | new => assigned |
2018-02-27 17:12 | Jim Luth | Note Added: 0008893 | |
2018-02-27 17:41 | randyarmstrong | Note Added: 0008894 | |
2018-02-27 17:42 | randyarmstrong | Note Edited: 0008894 | |
2018-03-13 01:31 | randyarmstrong | Note Added: 0008911 | |
2018-03-13 01:31 | randyarmstrong | Status | assigned => resolved |
2018-03-13 01:31 | randyarmstrong | Resolution | open => fixed |
2018-03-13 15:30 | Jim Luth | Note Added: 0008918 | |
2018-03-13 15:30 | Jim Luth | Status | resolved => closed |
2018-03-13 20:04 | Jim Luth | Fixed in Version | => 1.05 |
2018-03-13 20:05 | Jim Luth | Target Version | 1.04 => 1.05 |