Re: [pkix] Self-issued certificates

Carl Wallace <carl@redhoundsoftware.com> Mon, 13 July 2015 11:14 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D04A51A8739 for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 04:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiU70Hsqdj4o for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 04:14:35 -0700 (PDT)
Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EBF91A873B for <pkix@ietf.org>; Mon, 13 Jul 2015 04:14:35 -0700 (PDT)
Received: by qgef3 with SMTP id f3so104587399qge.0 for <pkix@ietf.org>; Mon, 13 Jul 2015 04:14:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type; bh=BNzCOESzW6FFJdZiR/FuatQgE+YHwcK4WR1iCpGc9C0=; b=OD+XidlWs5GhEkF43HIc0tPqg/yd2JWaNUhEoZruNlKGKPH+KL9IUcNPkw7Rrvzhy9 T5bx4QoJx1vLEjcVNqyoYs9gL25x/Pb2xr8yPk3eRngw9LbJdyEJe+R7zbv9QyyOTgn4 2RQY4ibEE6gAw0MMcEAgcWltTdoKUWTdqyzoA5rJNVuBdkmQZw4gz8KDRaygl98AoEc/ 0qpwlIuyI+xxGb5aqbgzL5Co3Y3RZIZioaMZ2TQD1/2fhP+lOiK98bhnFw24XHa8ZJ9J 0/VBqXSbLgjuAhhot675C2Ow4j3R4joadADcNgF48s1QESLBDauQuh2OgYXeWXQgrk1N 3gww==
X-Gm-Message-State: ALoCoQnQcesJeEJfzpj6KilwV4dc7wArrJQ/VssDBPRlI6zcgr7DLcOcMgm44AA2i9l4Bj8qNIzR
X-Received: by 10.55.48.11 with SMTP id w11mr51502876qkw.61.1436786074600; Mon, 13 Jul 2015 04:14:34 -0700 (PDT)
Received: from [192.168.2.27] (pool-96-241-148-223.washdc.fios.verizon.net. [96.241.148.223]) by smtp.gmail.com with ESMTPSA id a7sm7148217qka.0.2015.07.13.04.14.33 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 13 Jul 2015 04:14:34 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Mon, 13 Jul 2015 07:14:26 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Brian Smith <brian@briansmith.org>
Message-ID: <D1C91554.39494%carl@redhoundsoftware.com>
Thread-Topic: [pkix] Self-issued certificates
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <CAFewVt5mxdMbnZPOe=OQoLaeX_FdBZUSp-BmqHSpHHBPDyNKNQ@mail.gmail.com>
In-Reply-To: <CAFewVt5mxdMbnZPOe=OQoLaeX_FdBZUSp-BmqHSpHHBPDyNKNQ@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3519616473_507272"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/CNpQq5ReD7_UDGw7Ndyin5cgDKI>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 11:14:37 -0000

From:  Brian Smith <brian@briansmith.org>
Date:  Sunday, July 12, 2015 at 9:57 PM
To:  Peter Bowen <pzbowen@gmail.com>
Cc:  PKIX <pkix@ietf.org>
Subject:  Re: [pkix] Self-issued certificates

> 
> In fact, mozilla::pkix doesn't recognize self-issued certificates at all, and
> so doesn't implement those exceptions. So far, this has not caused any
> problems, so as far as the Web PKI is concerned, it is likely we can forget
> about the concept of self-issued certificate completely. And, that's what I
> recommend that people do.

Do you have a list of standard path validation features that were omitted
from mozilla::pkix? This could form the basis of a revised path validation
algorithm definition or at least keep folks from using a library that is
missing features that are present in their environment.