Re: [certid] open issue: self-signed certs
Bil Corry <bil@corry.biz> Sat, 10 April 2010 16:23 UTC
Return-Path: <bil@corry.biz>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id D3EFF3A6828 for <certid@core3.amsl.com>;
Sat, 10 Apr 2010 09:23:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.116
X-Spam-Level:
X-Spam-Status: No, score=-1.116 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311,
RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GBdX90jThDL for
<certid@core3.amsl.com>; Sat, 10 Apr 2010 09:23:47 -0700 (PDT)
Received: from mail.mindio.com (app1.bc.anu.net [193.189.141.126]) by
core3.amsl.com (Postfix) with ESMTP id 112FF3A67CC for <certid@ietf.org>;
Sat, 10 Apr 2010 09:23:45 -0700 (PDT)
Received: from [127.0.0.1] (c-69-181-67-65.hsd1.ca.comcast.net [69.181.67.65])
by mail.mindio.com (Postfix) with ESMTP id DEAD3FCF05;
Sat, 10 Apr 2010 11:23:38 -0500 (CDT)
Message-ID: <4BC0A605.3030004@corry.biz>
Date: Sat, 10 Apr 2010 09:23:33 -0700
From: Bil Corry <bil@corry.biz>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <20100317134327.GA14163@eltex.net>
<4BA1A532.9090107@stpeter.im> <20100318045825.GA14076@eltex.net> <4BB3C447.7000505@stpeter.im>
<4BBA575C.9040902@isode.com> <4BBF5601.1090905@stpeter.im>
In-Reply-To: <4BBF5601.1090905@stpeter.im>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] open issue: self-signed certs
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2010 16:23:50 -0000
Peter Saint-Andre wrote on 4/9/2010 9:29 AM: > Regarding self-signed certs, Alexey and I had the following exchange... > > On 4/5/10 3:34 PM, Alexey Melnikov wrote: >> Peter Saint-Andre wrote: >> >>> Given that a self-signed certificate can say *anything*, I don't know >>> that it's helpful to enforce any rules about issuance and checking of >>> self-signed certs. It's not as if any "certification" has taken place in >>> this situation. >>> >> +1. > > Someone named "ArkanaoiD" (how's that for identity? :) wrote: > > Well, when it comes to implementation we get *two* matching > algorithms then, which is definitely no good. > > IMHO we don't necessarily get two matching algorithms -- it's just that > the matching algorithm for self-signed certificates is not specified in > this document. Given that we are trying to define best practices for > secure authentication of application services, I don't think it makes a > lot of sense to discuss self-signed certs. > > Bruno Harbulot wrote: > > I'm not sure this I-D should treat self-signed certs completely > differently from CA-issued certs. Self-signed certs could be > considered as a special case of CA-issued certs. > > And Bil Corry wrote: > > I agree. Isn't the distinction between CA-issued certs and > self-signed certs more-or-less which CAs you choose to trust? > > Bruno and Bil, would you find it acceptable if this document simply does > not mention self-signed certificates? We really are trying to limit the > scope of this document to a very particular problem, but I'm quite open > to discussing related problems in other documents. However, if it is > going to be more confusing to say that self-signed certs are out of > scope then I'd consider including some text about them. How about the scenario where a company acts as its own CA for internal systems; i.e. their root cert is installed across their entire enterprise and is effectively a CA for those browsers. Is that in or out of scope for this document? - Bil
- [certid] It is not always a good idea to enforce … ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Joe Orton
- Re: [certid] It is not always a good idea to enfo… Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Bil Corry
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… Alexey Melnikov
- [certid] open issue: self-signed certs Peter Saint-Andre
- Re: [certid] open issue: self-signed certs Bil Corry
- Re: [certid] open issue: self-signed certs Kurt Zeilenga
- Re: [certid] open issue: self-signed certs Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Michael Ströder