1

Assume you have a client/server pair which wants to set up a secure connection using X509 v3 certificates and asymmetric cryptography.

The client sends a chain of certificates (let's say Root CA: C1, intermediate CA: C2 and client certificate: C3) and the server has to validate the chain (and then, of course, vice versa).

Up to this morning my understanding was that the server needs to know (at least) C1 and have it in a trust store, the idea being that the root CA is the entity all participating parties are willing to trust.

After encountering examples where this is handled differently I'm now confused and have some doubts.

In one example I found the server only had C3 (or only C2) in it's trust store and was happily accepting the connection request containing the rest of the chain (actually the whole chain) from the client.

So I'd like to know whether this an approach which

  1. can be considered secure?
  2. is in accord with relevant standards?

(Of course I do understand that it is, to some extend, up to the server admin to decide which parties are trustworthy. The question aims at a developer who is supposed to implement the validation).

techraf
  • 9,149
  • 11
  • 44
  • 62
Thomas
  • 121
  • 1
  • 1
  • 6

1 Answers1

2

From the RFC 5280:

A user of a security service requiring knowledge of a public key generally needs to obtain and validate a certificate containing the required public key. If the public key user does not already hold an assured copy of the public key of the CA that signed the certificate, the CA's name, and related information (such as the validity period or name constraints), then it might need an additional certificate to obtain that public key. In general, a chain of multiple certificates may be needed...

The server (from your question) validates the copy of "a certificate containing the required public key" first by checking its trust store. If C3 is in the trust store, there's no need to check anything else. If not it proceeds further.

Notice the potential form in the RFC: "it might need", "may be needed". It is not required to check the whole path if it already trusts a certificate.

Also take a look at this answer describing the difference between X.509 and TLS.

techraf
  • 9,149
  • 11
  • 44
  • 62