IETF Logo Mail Archive

Re: [pkix] Self-issued certificates

"Miller, Timothy J." <tmiller@mitre.org> Mon, 13 July 2015 14:42 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D306D1B2B47 for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 07:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlPH7LKzKYsl for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 07:42:03 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 2012B1B2B46 for <pkix@ietf.org>; Mon, 13 Jul 2015 07:42:03 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C9BB66C0122; Mon, 13 Jul 2015 10:42:02 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id BA24F6C011E; Mon, 13 Jul 2015 10:42:02 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 13 Jul 2015 10:42:02 -0400
Received: from na01-by2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Mon, 13 Jul 2015 10:42:02 -0400
Received: from BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) by BY2PR09MB062.namprd09.prod.outlook.com (10.242.36.17) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 14:42:00 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 14:41:36 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Mon, 13 Jul 2015 14:41:36 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: Erik Andersen <era@x500.eu>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53ZUDLggAAexYCAAAYZIA==
Date: Mon, 13 Jul 2015 14:41:35 +0000
Message-ID: <BY2PR09MB10985978D45536DA27003F6AE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <BY2PR09MB1097FB1563CBA1C7007626CAE9C0@BY2PR09MB109.namprd09.prod.outlook.com> <000501d0bd74$6ab70660$40251320$@x500.eu>
In-Reply-To: <000501d0bd74$6ab70660$40251320$@x500.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: x500.eu; dkim=none (message not signed) header.d=none;
x-originating-ip: [192.160.51.89]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB110; 5:BJnNXT7+JTKkaZSWTDZjAgZMTFCesGgKRF6WQ3YEKZaY6++eXuy9czJeOpg5qs/QQWf3JIf+mtwUG5GlTRV+CtRkKqmX9xyOK3n9WWJZdjclm9jRHaZzxNMNC3BsL87utuGCwTQq7rFdJV6N3pM/vQ==; 24:8X7ooqsWltTRPQlrVpyU2tN/EgVceZ6ARA1iFOtwo9EoRb0On5rQOhPitmtdAEsjIlMVGV9jJQ1kUwKfMn2Ls7b7vUuMzTK67iiZ/rcEVG0=; 20:Ueqt6T7gAVK2FpSl8kcYwPxhdiyPY6Sg+MUKDM5lav9aJR2ub4o3EI92T5+Qq9FbSd0+aYyuupt+KvAy6GTd8w==
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB062;
by2pr09mb110: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BY2PR09MB110EA59594CC39A22850F91AE9C0@BY2PR09MB110.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB110; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110;
x-forefront-prvs: 0636271852
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(92566002)(2656002)(87936001)(50986999)(46102003)(54356999)(86362001)(76176999)(76576001)(66066001)(189998001)(62966003)(5001960100002)(74316001)(99286002)(40100003)(106116001)(122556002)(107886002)(33656002)(2900100001)(2950100001)(5003600100002)(77096005)(102836002)(2501003)(5002640100001)(77156002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB110; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2015 14:41:35.7872 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB110
X-Microsoft-Exchange-Diagnostics: 1; BY2PR09MB062; 2:F2UPqpJWtwFE5jWlt8w9kvNTYxrmqXPUd8tf3d7sHgaqFezBCg/gFL5PNFwylolO; 3:xMRYnlRJZi9PkICihmsfoRO3O6giW8JLMTvk5HM5JBAtJzA2SwgUIsxRLpYEaPmobJnpSPn3tI/YIzfehwCnq1bKPYYHW6ddNwiUzaPWqfndRpvRmJ83igdEUgAulN/r1rIEImN6vLeTZRRE9cnULg==; 25:O8sGNtdwwtYC85qMuu6EvaLFQ6YvavEtUHwS/IM92P6SIHgl+wDomtp5EhrYixJFwNG9cuIOq73G1p8+toR0FC0oijVcSf3wx+NjEkE7b9OZUSMu5ZH0Dkj6whrUzDkAgFyizEXvamjXpsnikcD83SleS1yDgzTp46G2jJr71PIc3hlwM/hVA9NSHLxweWblV9MVYHXMXLCfTwoMQW88S8/mPmtUReb5K9mgdyAc32rf0UbN1gqBMEr8KJGIt+WGiMG0anOCTUo61XVTAR4ahg==; 20:oo0fo7Jh2K8ccH3AvbK7uuKDUgpsLnym5ZN7/mg72o4ithIT3Bdskgzft4n6Zp+4/Y0NT9UwsMt4KKhNiHy2wQ==; 23:MJyAx8HnP2TB+aupdnvebfmi1FbqdEI9fgcwjBTP1ylUu5wfk3/Kf7hDq6RGWuhSP/kyYLNfXzziMmBFW80LQpDzMt+ILAIcnN1UAJuh7ZPEJjgoJnTg74nHVxvhi/F1P2L/YN15Fzq7KKCgQ+ss5JbiUtbNmtFRhl3bfwxLJbFnruRF6ehvj5pdFbZI8Id6amQgPJKHT/LYq6aTzfR8DiL3+USdIUlUOeViENyK9pyMk8let2SANtCiHndCUTPo
BY2PR09MB062: X-MS-Exchange-Organization-RulesExecuted
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/1G6X5h9wm1uqTIpT7ZRpl3ye9xg>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 14:42:05 -0000

> I am not sure how the first paragraph leads to the second paragraph. Where
> is that stated in RFC 5280 or X.509?

It's not stated, it's legacy.  Originally the DN was supposed to be the entity's location in the imaginary X.500 directory.  Two different DNs == two different locations, and therefore two different entities (because X.500 had a single DIT).  

In short, the name--in X.509 and PKIX--*is* the thing.  

This may seem like a philosophical issue but is has real implications.  In access control systems, once the user's authenticator is verified, the user's public key is discarded and the system uses the name (usually by binding that name to a proprietary access credential, e.g., a cookie).  This behavior is common to most PK-enabled systems, though the use of the DN is no longer exclusive (we have SANs now).  Change the name--even if the same key is bound to it--and you'll lose access.  Try it with a PK-enabled website.  

Similarly with S/MIME--change the relevant name (here the SAN rfc822Name), and the email won't verify.

-- T

v2.23.0 | Report a Bug | By Email