Re: [pkix] Self-issued certificates

王文正 <wcwang@cht.com.tw> Thu, 16 July 2015 09:22 UTC

Return-Path: <wcwang@cht.com.tw>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BB91A8720 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 02:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.624
X-Spam-Level: *
X-Spam-Status: No, score=1.624 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05dq9a9tk4hH for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 02:22:00 -0700 (PDT)
Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 73AE11A871E for <pkix@ietf.org>; Thu, 16 Jul 2015 02:22:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1437038519; x=1439630519; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nf3LCva4stf4siEwCS/H5X/hLM7CIaR+He4sruggLxo=; b=kH6pCpRK3b+x7mKfi0JQU6EISv504nlQ7KYqGwJtXVlnJad9o4PzWOz8hHDFeJ7R WNI6cHJUAvt7La569Pr5/h2ZnFG+UpM9lmEJMO+jW/00cdlAr6Vz4ZpC1Z47nSwW OMOaNtVYiKA5Cc+EjudE/UC1QlrQNs3JssldMBl7eSU=;
X-AuditID: 0aa00766-f798c6d000002b61-a2-55a777b70858
Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 18.B6.11105.7B777A55; Thu, 16 Jul 2015 17:21:59 +0800 (CST)
Received: from CAS6.app.corp.cht.com.tw (unknown [10.172.18.162]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id EECB9C000088; Thu, 16 Jul 2015 17:21:58 +0800 (CST)
Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS6.app.corp.cht.com.tw ([fe80::cd00:8556:7c97:6ab9%12]) with mapi id 14.02.0342.003; Thu, 16 Jul 2015 17:20:02 +0800
From: =?utf-8?B?546L5paH5q2j?= <wcwang@cht.com.tw>
To: "Miller, Timothy J." <tmiller@mitre.org>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//4HAgAAu3dMA
Date: Thu, 16 Jul 2015 09:20:01 +0000
Message-ID: <20825998BCB8D84C983674C159E25E753D624E22@mbs6.app.corp.cht.com.tw>
References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org>
In-Reply-To: <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org>
Accept-Language: zh-TW, en-US
Content-Language: zh-TW
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.77.4.111]
Content-Type: text/plain; charset="utf-8"
content-transfer-encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKKsWRmVeSWpSXmKPExsXCtYA9W3d7+fJQg1lLxSx6f+9gtrh4sMhi 2olvrA7MHkuW/GTyeNtwld1jyuetjAHMUfU2iXl5+SWJJakKKanFybZKyRkluimZxck5iZm5 qUW6pSVpFkoKmSm2SmZKCgU5icmpual5JbZKiQUFqXkpSnZcChjABqgsM08hNS85PyUzL91W KTTETddCye7ZnDVP9i98snvb0/71L5r3Pu1pfTphdcIa+Yz3y5uYC26wVPR+38vUwHiCpYuR k0NCwERia/czdghbTOLCvfVsXYxcHEIC2xklJux+wwzh7GSUeLL3FhNIlZDAYUaJrSvKQGw2 ASOJjWd3AcU5OEQEdCSuTAkHCTMLmEt8m7aTFcQWBgrfurMfrFVEQFfi0rPvbBB2nsT9YzOY QWwWAVWJ35M+gdXwCvhLdO48xgKx9xejxLbPO8ESnAK2ElPnnwe7mlFAVuLJgmdMEMvEJc5d bIX6QEBiyZ7zzBC2qMTLx/9YQW6TEJCXmPZGBsRkFtCUWL9LH6JTUWJK90N2iLWCEidnPmGZ wCg+C8nQWQgds5B0zELSsYCRZRWjYHFyYp6hkR4wVvWS83P1Sso3MUISSdoOxu3zHQ8xCnAw KvHwNjQvCxViTSwrrsw9xCjBwawkwvvUc3moEG9KYmVValF+fFFpTmrxIcZkYJhMZJYSTc4H Jrm8knhDY0tjE3NjcwMjQwND0oSVxHmnt2aGCAmkAxNfdmpqQWoRzBYmDk6pBkbTknDN/x6S mc63WT0ktyW9dzY/6/b95eQNUg90LJOebtg87XmqVdt/2w3X1OwWzJmux1jZ96lV2z3bxH22 xn9F5shVPUvldH5297Dkh6tPk9CIN1r3PPL3vRCfy+n3DY4xbs2efihyCdOi+Y4HVzx4+17g hPp33tO2115XsZUX7NmX9iC+y0+JpTgj0VCLuag4EQB3Xs2IaAMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/5DJV9QDGl6cfBMZ9ucp3E8dIZRc>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2015 09:22:02 -0000

Hi Timothy,

> I suppose it bears mentioning that you should never accept a trust anchor without some kind of verification.  An RFC 4210 rollover announcement is fine and dandy if and only if you already trusted the old anchor.  If you don’t, then you need to go out-of-band, and part of that is verifying that the entity named is the entity you expect.

Exactly, thank you for helping to clarify that concept.

Wen-Cheng Wang

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.