Re: [pkix] RFC 5280 interpretation of trust anchor certificates

George Michaelson <ggm@algebras.org> Mon, 10 October 2022 01:51 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F52C14F74B for <pkix@ietfa.amsl.com>; Sun, 9 Oct 2022 18:51:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHkOyCptPsW9 for <pkix@ietfa.amsl.com>; Sun, 9 Oct 2022 18:51:02 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 092E2C14F746 for <pkix@ietf.org>; Sun, 9 Oct 2022 18:51:01 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id g1so14574905lfu.12 for <pkix@ietf.org>; Sun, 09 Oct 2022 18:51:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1wTAlnHVNu30/ECk9+2y4vSI7AZX/WxA3WLhRqEfq7I=; b=CMEi362Z7Fep7KcEzcB5pXn0e0nfSSf65K2m6weoAcODhAil94wWwALIJo322P3AHE SNYjJvvSOOk2SgCBu78ewCxBqWM8du2owPZauRuO1zaOwUQzHj/GQkGG4799mlW1+E/f n8NDggvrDAvM+BM30AbCJ68KbdyirxrcOrW/mMzZLF1DbN7DEJHDuA3hnSO+lCFQnmrt PZdr1JDpPV2ftBAX07fMR5HvlUuq5B1uKJ+XXp04EXfWWeMgp2oy3S017tk6msFDd/lZ mDhl+fVYdbw1doElGSw+Wyy+ZKLixtTyGc+1QHPjijMHZkJkCraCk/BByGA/NsoG4V9D aNYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1wTAlnHVNu30/ECk9+2y4vSI7AZX/WxA3WLhRqEfq7I=; b=iYi9Z18VGGKTfQUxXTsuDbOt/wOB0IZ7Vdl7UuDaNrcYPVS59mR02F9i8bLf73Gtwb 7p67z3IZcWuGl9B4HF0Vv97yaw65to53+qO63nyiZcs5hM+kzyHL6GB9zZdmQfUXnwb6 iO3phKfPAsvMBOSqwGNkMd9+uUH+j9l18ka1iOTwsR5WVczEwZvO/v5VBrJszp4UU6xK WNG29Rx2+M29tbmjd9DSzYaH4dG20UtiWIgY+0ZCqU/W7dENwgnD0oATz59EamX+rZlh Bn3yP5KABZWVeqPj1i2MN7Nh/g62PQLOoezz0SAMFJMTZGc6JjBSvuFHx8xB85H6Pfwc 3cAw==
X-Gm-Message-State: ACrzQf05tXAZIz5V2yRtmGpIKSvns2ED7qeZ//GleCEAhXWAs9MuWUBU zacW9xYHw+iYD9dQqXb929Or/6es/cyZbLWWNQi/AA==
X-Google-Smtp-Source: AMsMyM57BkqQZABqR/PBaUNkOHeMZw4hqFCZSpACPSLC/9GTj547iP/FfUzT3sbFfrFtQmGPDr7l11lyeMJ5tYMJlTw=
X-Received: by 2002:a05:6512:5d5:b0:4a2:3a71:16f7 with SMTP id o21-20020a05651205d500b004a23a7116f7mr6181084lfo.168.1665366658318; Sun, 09 Oct 2022 18:50:58 -0700 (PDT)
MIME-Version: 1.0
References: <Y0MKZ/LkgnDcOY1z@nmhq.net> <182e19f5-a630-7830-3011-0ed9fc62ea81@nthpermutation.com> <Y0MpC50ARNV8QhB0@nmhq.net> <241fd8ce-e765-c7d3-bd01-207c003f45d5@nthpermutation.com>
In-Reply-To: <241fd8ce-e765-c7d3-bd01-207c003f45d5@nthpermutation.com>
From: George Michaelson <ggm@algebras.org>
Date: Mon, 10 Oct 2022 11:50:48 +1000
Message-ID: <CAKr6gn0E1ZgZ4jzRzcG-9gUWW2GBT5NwB+sbM6XxWk8zjbFHVQ@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: IETF PKIX <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001714f805eaa46495"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/05Wwwn0dIzE-NfWa__KZWfOE5VU>
Subject: Re: [pkix] RFC 5280 interpretation of trust anchor certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 01:51:06 -0000

My personal view is that clarity about path building, regarding the
semantics of the issuer and subject either as names or KI, and a statement
of what can be used to terminate path building regarding the signing
keypair in question are a better basis of trust anchor definition than
handwaving about self signed certificates. Plus, some words about
validators choices of trust anchor, and it's centrality to the process.

It should be clear self signing and arguably even a certificate per se, is
broadly irrelevant. What matters is the path to a key which is trusted, so
that validation can process with certainty, and the independence to select
trust anchor(s) outside of the specific issuer subject chain under "test"

Is this an over simplified view?

Cheers G