[certid] open issue: self-signed certs
Peter Saint-Andre <stpeter@stpeter.im> Fri, 09 April 2010 16:29 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id E7C833A68AE for <certid@core3.amsl.com>;
Fri, 9 Apr 2010 09:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.289
X-Spam-Level:
X-Spam-Status: No, score=-2.289 tagged_above=-999 required=5 tests=[AWL=0.310,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWQordbhUmGT for
<certid@core3.amsl.com>; Fri, 9 Apr 2010 09:29:57 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 97D913A680E for <certid@ietf.org>;
Fri, 9 Apr 2010 09:29:57 -0700 (PDT)
Received: from dhcp-64-101-72-158.cisco.com (dhcp-64-101-72-158.cisco.com
[64.101.72.158]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with
ESMTPSA id 5B63440E15; Fri, 9 Apr 2010 10:29:53 -0600 (MDT)
Message-ID: <4BBF5601.1090905@stpeter.im>
Date: Fri, 09 Apr 2010 10:29:53 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <20100317134327.GA14163@eltex.net> <4BA1A532.9090107@stpeter.im>
<20100318045825.GA14076@eltex.net> <4BB3C447.7000505@stpeter.im>
<4BBA575C.9040902@isode.com>
In-Reply-To: <4BBA575C.9040902@isode.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms080103040508090207060503"
Cc: certid@ietf.org
Subject: [certid] open issue: self-signed certs
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 16:30:00 -0000
Regarding self-signed certs, Alexey and I had the following exchange... On 4/5/10 3:34 PM, Alexey Melnikov wrote: > Peter Saint-Andre wrote: > >> Given that a self-signed certificate can say *anything*, I don't know >> that it's helpful to enforce any rules about issuance and checking of >> self-signed certs. It's not as if any "certification" has taken place in >> this situation. >> > +1. Someone named "ArkanaoiD" (how's that for identity? :) wrote: Well, when it comes to implementation we get *two* matching algorithms then, which is definitely no good. IMHO we don't necessarily get two matching algorithms -- it's just that the matching algorithm for self-signed certificates is not specified in this document. Given that we are trying to define best practices for secure authentication of application services, I don't think it makes a lot of sense to discuss self-signed certs. Bruno Harbulot wrote: I'm not sure this I-D should treat self-signed certs completely differently from CA-issued certs. Self-signed certs could be considered as a special case of CA-issued certs. And Bil Corry wrote: I agree. Isn't the distinction between CA-issued certs and self-signed certs more-or-less which CAs you choose to trust? Bruno and Bil, would you find it acceptable if this document simply does not mention self-signed certificates? We really are trying to limit the scope of this document to a very particular problem, but I'm quite open to discussing related problems in other documents. However, if it is going to be more confusing to say that self-signed certs are out of scope then I'd consider including some text about them. Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] It is not always a good idea to enforce … ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Joe Orton
- Re: [certid] It is not always a good idea to enfo… Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Bil Corry
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… Alexey Melnikov
- [certid] open issue: self-signed certs Peter Saint-Andre
- Re: [certid] open issue: self-signed certs Bil Corry
- Re: [certid] open issue: self-signed certs Kurt Zeilenga
- Re: [certid] open issue: self-signed certs Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Michael Ströder