Re: [certid] open issue: self-signed certs
Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> Thu, 15 April 2010 13:44 UTC
Return-Path: <Bruno.Harbulot@manchester.ac.uk>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 2CA5C3A689C for <certid@core3.amsl.com>;
Thu, 15 Apr 2010 06:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No,
score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001,
RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNzirgJ+uEgz for
<certid@core3.amsl.com>; Thu, 15 Apr 2010 06:44:34 -0700 (PDT)
Received: from clarity.mcc.ac.uk (clarity.mcc.ac.uk [130.88.200.144]) by
core3.amsl.com (Postfix) with ESMTP id 714883A6A16 for <certid@ietf.org>;
Thu, 15 Apr 2010 06:44:31 -0700 (PDT)
Received: from rankine.its.manchester.ac.uk ([130.88.25.196]) by
clarity.mcc.ac.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD))
(envelope-from <Bruno.Harbulot@manchester.ac.uk>) id 1O2PMk-000J8g-TL;
Thu, 15 Apr 2010 14:44:22 +0100
Received: from pulsar.rcs.manchester.ac.uk ([130.88.1.47]:44009
helo=mymachine) by rankine.its.manchester.ac.uk with esmtpsa
(TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from
<Bruno.Harbulot@manchester.ac.uk>) id 1O2PMk-00049G-N4;
Thu, 15 Apr 2010 14:44:22 +0100
Message-ID: <4BC71827.1090103@manchester.ac.uk>
Date: Thu, 15 Apr 2010 14:44:07 +0100
From: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Bil Corry <bil@corry.biz>
References: <20100317134327.GA14163@eltex.net> <4BA1A532.9090107@stpeter.im> <20100318045825.GA14076@eltex.net> <4BB3C447.7000505@stpeter.im> <4BBA575C.9040902@isode.com>
<4BBF5601.1090905@stpeter.im> <4BC0A605.3030004@corry.biz>
In-Reply-To: <4BC0A605.3030004@corry.biz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: Bruno Harbulot from pulsar.rcs.manchester.ac.uk
(mymachine) [130.88.1.47]:44009
X-Authenticated-From: Bruno.Harbulot@manchester.ac.uk
X-UoM: Scanned by the University Mail System. See
http://www.itservices.manchester.ac.uk/email/filtering/information/ for
details.
Cc: certid@ietf.org
Subject: Re: [certid] open issue: self-signed certs
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2010 13:44:36 -0000
Hello, Bil Corry wrote: > Peter Saint-Andre wrote on 4/9/2010 9:29 AM: >> Regarding self-signed certs, Alexey and I had the following exchange... >> >> On 4/5/10 3:34 PM, Alexey Melnikov wrote: >>> Peter Saint-Andre wrote: >>> >>>> Given that a self-signed certificate can say *anything*, I don't know >>>> that it's helpful to enforce any rules about issuance and checking of >>>> self-signed certs. It's not as if any "certification" has taken place in >>>> this situation. >>>> >>> +1. >> Someone named "ArkanaoiD" (how's that for identity? :) wrote: >> >> Well, when it comes to implementation we get *two* matching >> algorithms then, which is definitely no good. >> >> IMHO we don't necessarily get two matching algorithms -- it's just that >> the matching algorithm for self-signed certificates is not specified in >> this document. Given that we are trying to define best practices for >> secure authentication of application services, I don't think it makes a >> lot of sense to discuss self-signed certs. >> >> Bruno Harbulot wrote: >> >> I'm not sure this I-D should treat self-signed certs completely >> differently from CA-issued certs. Self-signed certs could be >> considered as a special case of CA-issued certs. >> >> And Bil Corry wrote: >> >> I agree. Isn't the distinction between CA-issued certs and >> self-signed certs more-or-less which CAs you choose to trust? >> >> Bruno and Bil, would you find it acceptable if this document simply does >> not mention self-signed certificates? We really are trying to limit the >> scope of this document to a very particular problem, but I'm quite open >> to discussing related problems in other documents. However, if it is >> going to be more confusing to say that self-signed certs are out of >> scope then I'd consider including some text about them. Yes, I think it's probably better to leave trust into the certificate itself (self-signed or not) out of the scope of this document. (There are other documents for this, including RFC 5280.) I don't think it makes sense to exclude self-signed certificates as such, and I don't agree with the previous quote: "It's not as if any "certification" has taken place in this situation." Certification may have taken place, out of bands, like it's the case for CA certificates such as Verisign's that end up automatically in most browsers (a process that undoubtedly involves some amount of politics). There's always a leap of faith to be made for bootstrapping trust. Whether one gets a cert (or a certification path to a cert) from a friend handing a cert in person or via some vendor's bundled software has to be subject to the judgement of the user. The only specificity of a self-signed server certificate here is that the certification path is extremely short. > How about the scenario where a company acts as its own CA for internal systems; i.e. their root cert is installed across their entire enterprise and is effectively a CA for those browsers. Is that in or out of scope for this document? I think this scenario is orthogonal to the scope of this document. It's perfectly acceptable for a company to have its own CA and comply with this document as well as RFC 5280 (or maybe some other model of PKI). As far as I read it, the purpose of this I-D is to check that the certificate obtained when connecting to server is indeed bound to that server and not some other server, not to verify the trust in the certificate itself. As far as I'm aware, most APIs implement these two concerns separately anyway. Just to bring back the self-signed cert issue into context, this discussion started with some self-signed certs including e-mail addresses as leaf RDNs: having non-CN leaf RDNs was the main point as far I understood. As I was saying then, this is not specific to self-signed certificates. I use at least one CA (the UK e-Science CA) that puts e-mail addresses in the DN. It appears that its US counterpart does it too: http://teragrid.psc.edu/pscCert.php#DN (This is probably more appropriate for the thread on RDNs.) Best wishes, Bruno.
- [certid] It is not always a good idea to enforce … ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Joe Orton
- Re: [certid] It is not always a good idea to enfo… Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Bil Corry
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… Alexey Melnikov
- [certid] open issue: self-signed certs Peter Saint-Andre
- Re: [certid] open issue: self-signed certs Bil Corry
- Re: [certid] open issue: self-signed certs Kurt Zeilenga
- Re: [certid] open issue: self-signed certs Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Michael Ströder