Re: [dane] "Name Checks are not appropriate for CU=3"

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 17 January 2014 06:59 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2111ADF96 for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 22:59:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ijf2pVhuYwbF for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 22:59:56 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id E0E9B1ADF93 for <dane@ietf.org>; Thu, 16 Jan 2014 22:59:55 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id A9DFE2AABCE; Fri, 17 Jan 2014 06:59:42 +0000 (UTC)
Date: Fri, 17 Jan 2014 06:59:42 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140117065942.GY2317@mournblade.imrryr.org>
References: <20140116151959.4AA021ABB0@ld9781.wdf.sap.corp> <52D80CC4.9020407@bbn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <52D80CC4.9020407@bbn.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 06:59:58 -0000

On Thu, Jan 16, 2014 at 11:45:56AM -0500, Stephen Kent wrote:

> Martin is correct. This is not well-formed cert as per RFC 5280:
> 
> 4.1.2.4.Issuer
> The issuer field identifies the entity that has signed and issued the
> certificate.The issuer field MUST contain a non-empty distinguished
> name (DN)
>
> [...]
>
> We issued 5280bis in part to accommodate DANE's use of ss certs.
> Please don't provide examples that are obviously non-complaint relative
> to basic PKIX and X.509 specs.

Are you referring to RFC 6818?  If so, what is the impact of Section
2 of that document?

    2.  Update to RFC 5280, Section 3.2: "Certification Paths and Trust"

       Add the following paragraph to the end of RFC 5280, Section 3.2:

    | Consistent with Section 3.4.61 of X.509 (11/2008) [X.509], we note
    | that use of self-issued certificates and self-signed certificates
    | issued by entities other than CAs are outside the scope of this
    | specification.  Thus, for example, a web server or client might
    | generate a self-signed certificate to identify itself.  These
    | certificates and how a relying party uses them to authenticate
    | asserted identities are both outside the scope of RFC 5280.

If a self-signed EE (i.e. not a CA) certificate is outside the
scope of 5280, it might seem that the issuer constraint of 5280
need not apply.

This does not mean that it is a good idea to push one's luck, but
I am curious as to whether the 5280 constraints in this thread are
or are not in scope for self-signed EE certificates?

It is perhaps the case that the question of whether a certificate
is self-issued or not is not well-formed when both the issuer and
subject fields are empty?

-- 
	Viktor.