Re: [pkix] Self-issued certificates

王文正 <wcwang@cht.com.tw> Mon, 13 July 2015 12:54 UTC

Return-Path: <wcwang@cht.com.tw>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92AD31B2A63 for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 05:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.425
X-Spam-Level: ***
X-Spam-Status: No, score=3.425 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4YuagondhFQ for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 05:54:42 -0700 (PDT)
Received: from scan14.cht.com.tw (scan14.cht.com.tw [202.39.160.144]) by ietfa.amsl.com (Postfix) with ESMTP id C2D1F1B2A61 for <pkix@ietf.org>; Mon, 13 Jul 2015 05:54:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436792080; x=1439384080; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=eBnPff9DJuT5E6Z+ldDm55Lfa4PjkqCB7KOmZbycSLk=; b=OA1/9122yfl3CuJm0cgw1BOuIGjlJ3vdQRPhf6QAmRny1BYAa3cle0jm6FYTcdY8 WUKe3NF5wjIiZBCbenOsX8xqqMMzLJyZQ7SqnAtTIApiARuO26KJHmuB6vsbMH6f 4aYsHVYab3LBNkutuwfVqOT+xbstVUzuyFNDIX0KM/Q=;
X-AuditID: 0aa00768-f79166d000000bd1-04-55a3b5109c4f
Received: from scanrelay4.cht.com.tw ( [10.160.7.109]) by scan14.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 61.1F.03025.015B3A55; Mon, 13 Jul 2015 20:54:40 +0800 (CST)
Received: from CAS6.app.corp.cht.com.tw (unknown [10.172.18.162]) by scanrelay4.cht.com.tw (Symantec Mail Security) with ESMTP id 725FBC000088 for <pkix@ietf.org>; Mon, 13 Jul 2015 20:54:40 +0800 (CST)
Received: from CAS5.app.corp.cht.com.tw (10.172.18.161) by CAS6.app.corp.cht.com.tw (10.172.18.162) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 13 Jul 2015 20:54:39 +0800
Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS5.app.corp.cht.com.tw ([fe80::8d2:3a3e:f009:84df%12]) with mapi id 14.02.0342.003; Mon, 13 Jul 2015 20:54:39 +0800
From: =?utf-8?B?546L5paH5q2j?= <wcwang@cht.com.tw>
To: "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3Ye5WAgADSrFA=
Date: Mon, 13 Jul 2015 12:54:39 +0000
Message-ID: <20825998BCB8D84C983674C159E25E753D620DB0@mbs6.app.corp.cht.com.tw>
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu>
In-Reply-To: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu>
Accept-Language: zh-TW, en-US
Content-Language: zh-TW
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.77.4.111]
Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D620DB0mbs6appcorpchtc_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRmVeSWpSXmKPExsXCtYA9V1dg6+JQg74HshYXDxY5MHosWfKT KYAxqoHRJjEvL78ksSRVISW1ONlWKTmjRDclszg5JzEzN7VINzUvXUkhM8VWyURJoSAnMTk1 NzWvxFYpsaAgNS9FyY5LAQPYAJVl5imk5iXnp2TmpdsqeQb761pYmFrqGirZBeSkJhanKiSl KiSmlGUWp6YoJGyQyZh5aD9LwZ3njBWtnW/YGhgvPGTsYuTkkBAwkTjRe4wNwhaTuHBvPZDN xSEksJ1R4uzJViYI5yyjxKk3hxjhMts2LANrERI4xChx5600iM0mYCSx8ewuJhBbREBZ4vO6 /ewgtrCAjsStO/uh4roSl559Z4OwrSRO/DwDFmcRUJXY+qQZ7CReAX+JmUsfskPMr5Ho753D AmJzCphJnLs6ixXEZhSQlXiy4BlYL7OAuMS5i63sEC8ISCzZc54ZwhaVePn4H1A9B5AtLzHt jQxEeb5E08MfLBCrBCVOznzCMoFRbBaSSbOQlM1CUjYLaBKzgKbE+l36ECWKElO6H0KVa0i0 zpnLjiy+gJF9FaNgcXJinqGJHjDK9ZLzc/VKyjcxQpJLxg7G/fMdDzEKcDAq8fAy9C8KFWJN LCuuzAUGKQezkghvTvHiUCHelMTKqtSi/Pii0pzU4kOMpsCwmsgsJZqcD0x8eSXxhsaWxhaG RgZmxuYWFkrivFNaM0OEBNKBaS07NbUgtQimj4mDU6qBUWdpxl2prZu5T5r+nezRamZhPKn8 8unAW50pdvP3bFl/8bT6rG97wrQs9b6+ik022tp1Ku6HwtQH01Vmn52Uxt7DvNhQUHOz+XUj 7sf3GxPEm2sDxJN4qpW119nenxUi9X2K3eq3CvGqRxK2SUyu/PuBqbiuc4JJwpEXnmdyDLPy vHdfnZNzQ4mlOCPRUIu5qDgRAP7zi0NEAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/A-MM0przPSJ63_VttnLhehpOuK4>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 12:54:48 -0000

I think both X.509 and RFC 5280 are clear and equivalent with respect to the definition of self-issued certificates.



In clause 3.5.62 of X.509, the definition of self-issued certificates is as below:



self-issued certificate: A public-key certificate where the issuer and the subject are the same CA. A CA

might use self-issued certificates, for example, during a key rollover operation to provide trust from the old key to the

new key.



In section 3.2 of RFC 5280, the definition of self-issued certificates is as below:



Self-issued certificates are CA certificates in which the issuer and subject are the same entity.  Self-issued certificates

are generated to support changes in policy or operations.



In clause 8.1.5 of X.509, it specifies that naming rule for self-issued certificates as below:

These types of CA-certificates are called self-issued certificates, and they can be recognized by the fact that the issuer

and subject names present in them are identical.



In section 6.1 of RFC 5280, it specifies that naming rule for self-issued certificates as below:

A certificate is self-issued if the same DN appears in the subject

and issuer fields (the two DNs are the same if they match according

to the rules specified in Section 7.1).



The logic behind is "A CA is certainly an entity. Once the DN of the entity is officially assigned by a naming authority, it should not be changed unless its identity is change in the future. Therefore, when a CA performs its key rollovers of policy changes, it should not change its DN. That is why self-issued certificates with the same issuer and subject names are generated to support key rollovers of policy changes."



Please note that there are some special certification path handling rules are based on the assumption of "a certificate is self-issued if the same DN appears in the subject and issuer fields" as mentioned in clause 8.1.5 of X.509:



Nevertheless, if self-issued certificates of this category are encountered in the path, they shall be processed as

intermediate certificates, with the following exception: they do not contribute to the path length for the purposes of

processing the pathLenConstraint component of the basicConstraints extension and the skip-certificates

values associated with the policy-mapping-inhibit-pending and explicit-policy-pending indicators.



The certificate path validation algorithm defined in section 6.1 of RFC 5280 also contains exceptional "self-issued certificates" handling rules which are equivalent to those required by the X.509 standard.



If a CA issues a certificate of which the issuer name and subject name are not the same, it will be handled as a normal certificate (either as an non-self-issued intermediate certificate or as an end-entity certificate) and thus those exceptional "self-issued certificates" handling rules will not apply to it.



Wen-Cheng Wang



-----Original Message-----
From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen
Sent: Monday, July 13, 2015 3:30 PM
To: pkix@ietf.org
Subject: Re: [pkix] Self-issued certificates



Hi Peter,



It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509 definition is:



3.5.62      self-issued certificate: A CA certificate where the issuer and the

subject are the same CA. A CA might use self-issued certificates, for example, during a key rollover operation to provide trust from the old key to the new key.



The problem you are facing is that the term entity is not clearly defined.

Is a CA an entity or is CA is specific role for an entity among other roles for the same entity?



The RFC 5280 definition seems to assume that a CA is an entity, and the two CA you mention are different entities, while X.509 does not necessarily make that assumption.



Kind regards,



Erik Andersen



-----Oprindelig meddelelse-----

Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Peter Bowen

Sendt: 13 July 2015 00:03

Til: pkix@ietf.org<mailto:pkix@ietf.org>

Emne: [pkix] Self-issued certificates



I'm trying to make sense of the definition of "self-issued certificates" in RFC 5280 (and X.509)



Section 3.2 provides a definition: "Self-issued certificates are CA certificates in which the issuer and subject are the same entity."

However section 6.1 says "A certificate is self-issued if the same DN appears in the subject and issuer fields."



While it is clear that all certificates with the same DN for subject and issue are self-issued, it is unclear to me whether a certificate with different DNs could be self-issued.  Section 6.1 could be giving one example of how a certificate could be self-issued or section 6.1 could be a limiting definition.



Consider the following example:

Example Trust Services has two different private keys.  Each key has a single associated DN:

Key0 has DN O=Example Trust Services, OU=Global Trust Anchor

Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor



There is a CA certificate created with

Subject: O=Example Trust Services, OU=Commercial Trust Anchor Subject Public

Key: Key1

Issuer: O=Example Trust Services, OU=Global Trust Anchor Signed by Key0



Is this CA certificate considered a self-issued certificate?



Thanks,

Peter



_______________________________________________

pkix mailing list

pkix@ietf.org<mailto:pkix@ietf.org>

https://www.ietf.org/mailman/listinfo/pkix



_______________________________________________

pkix mailing list

pkix@ietf.org<mailto:pkix@ietf.org>

https://www.ietf.org/mailman/listinfo/pkix

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.