Author dsoprea
Recipients asmodai, chet, christian.heimes, dsoprea, dstufft, jcea, maker, miki725, mmasztalerczuk, pitrou, underrun
Date 2017-05-12.22:07:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <CAOr1xOEHrmD0DT+0q0FzqX=XmGnC=uVhoOsmoFCS_8wLvSeZGA@mail.gmail.com>
In-reply-to <CAOr1xOEw_EpJ29yydj303RJdzzyiLUiXkj3hJ5HvUE8At1wpcA@mail.gmail.com>
Content
Thanks for expounding on this, Christian. Assuming your assertions are
correct, this makes perfect sense.

Can anyone listening close this?

On May 12, 2017 17:45, "Christian Heimes" <report@bugs.python.org> wrote:

Christian Heimes added the comment:

The ticket is dead for a very good reason. Past me was not clever enough
and didn't know about the difference between the cert chain sent by the
peer and the actual trust chain. The peer's cert chain is not trustworthy
and must *only* be used to build the actual trust chain. X.509 chain trust
chain construction is a tricky business.

Although I thought that peer cert chain is a useful piece of information,
it is also dangerous. It's simply not trustworthy. In virtually all cases
you want to know the chain of certificates that leads from a local trust
anchor to the end-entity cert. In most cases it just happens to be the same
(excluding root CA). But that's not reliable.

----------

_______________________________________
Python tracker <report@bugs.python.org>
<http://bugs.python.org/issue18233>
_______________________________________
History
Date User Action Args
2017-05-12 22:07:08dsopreasetrecipients: + dsoprea, jcea, pitrou, christian.heimes, asmodai, maker, underrun, dstufft, miki725, mmasztalerczuk, chet
2017-05-12 22:07:08dsoprealinkissue18233 messages
2017-05-12 22:07:08dsopreacreate