Re: [pkix] Self-issued certificates
Peter Bowen <pzbowen@gmail.com> Mon, 13 July 2015 18:20 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59CEA1B2CFF for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 11:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ulOsjEMpOnd for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 11:20:11 -0700 (PDT)
Received: from mail-pd0-x235.google.com (mail-pd0-x235.google.com [IPv6:2607:f8b0:400e:c02::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267931B2CF9 for <pkix@ietf.org>; Mon, 13 Jul 2015 11:19:41 -0700 (PDT)
Received: by pdbqm3 with SMTP id qm3so84226975pdb.0 for <pkix@ietf.org>; Mon, 13 Jul 2015 11:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xr1FBdPzxjW0PpPnf7N2Y521ddG0twu2JPDi+3KkQfw=; b=aHZu84TZgHTC8R+pv+TqIj3S6KS5W7QPmY0Vqbj4VjoHVAkSi9ZXFZzEdRvCKkWZXO iJnysDnwQ62rWcigYxd1051RWJaOK6n2dKQ5dh/9P95NnTxNylAOgjhZ04oVVJBpcQqX s3ohJxObzUAnwN819mrCDz49fkno10CFgxKtSAZTzLz4mXFNwO95CULFG/wNFbkJ6O/J ejSV0vhHq+DSDRqaT7oMXfKEcXi0t/Mtbead3Sd3Yem4fj9RpewYTzsm4wEZoXXYQuy9 ZJv/tBCDiXvvYTKBsp0sHCUWtv1eyntQmjMII7BZp67Z7f+aRNs+s/qdLTa2ssLMHxxh MOKQ==
MIME-Version: 1.0
X-Received: by 10.66.141.5 with SMTP id rk5mr58958089pab.16.1436811580782; Mon, 13 Jul 2015 11:19:40 -0700 (PDT)
Received: by 10.70.66.5 with HTTP; Mon, 13 Jul 2015 11:19:40 -0700 (PDT)
In-Reply-To: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu>
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu>
Date: Mon, 13 Jul 2015 11:19:40 -0700
Message-ID: <CAK6vND8W9OKKvBFe3ecdDdtayzOaazeD20P_5Sh7NrsgoRCM-g@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Erik Andersen <era@x500.eu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/-SS3ByAopI8iKqCAIWuW7qwTPsc>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 18:20:13 -0000
On Mon, Jul 13, 2015 at 12:30 AM, Erik Andersen <era@x500.eu> wrote: > It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509 > definition is: > > 3.5.62 self-issued certificate: A CA certificate where the issuer and the > subject are the same CA. A CA might use self-issued certificates, for > example, during a key rollover operation to provide trust from the old key > to the new key. > > The problem you are facing is that the term entity is not clearly defined. > Is a CA an entity or is CA is specific role for an entity among other roles > for the same entity? > > The RFC 5280 definition seems to assume that a CA is an entity, and the two > CA you mention are different entities, while X.509 does not necessarily make > that assumption. OK. Now I'm even more confused. X.509 says an authority is an entity, responsible for the issuance of certificates and says a certificate authority is a type of authority. How is RFC 5280 any more or less clear than X.509? Is X.509's take the certificate I described different from that attributed to 5280? Thanks, Peter
- [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erwann Abalea
- Re: [pkix] Self-issued certificates Brian Smith
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Carl Wallace
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Peter Gutmann
- Re: [pkix] Self-issued certificates Jeffrey Walton
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正