Re: [pkix] Self-issued certificates

"Miller, Timothy J." <> Tue, 14 July 2015 13:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 62F9B1ACD2F for <>; Tue, 14 Jul 2015 06:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rFasI-MNaLDx for <>; Tue, 14 Jul 2015 06:40:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4B3411ACD21 for <>; Tue, 14 Jul 2015 06:40:53 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 844746C03D4; Tue, 14 Jul 2015 09:40:52 -0400 (EDT)
Received: from imshyb02.MITRE.ORG ( []) by (Postfix) with ESMTP id 747D66C031D; Tue, 14 Jul 2015 09:40:52 -0400 (EDT)
Received: from imshyb02.MITRE.ORG ( by imshyb02.MITRE.ORG ( with Microsoft SMTP Server (TLS) id 15.0.1044.25; Tue, 14 Jul 2015 09:40:52 -0400
Received: from ( by imshyb02.MITRE.ORG ( with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Tue, 14 Jul 2015 09:40:51 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 14 Jul 2015 13:40:51 +0000
Received: from ([]) by ([]) with mapi id 15.01.0213.000; Tue, 14 Jul 2015 13:40:50 +0000
From: "Miller, Timothy J." <>
To: Erik Andersen <>, "" <>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53ZUDLggAAexYCAAAYZIIABcsOAgAAQOBA=
Date: Tue, 14 Jul 2015 13:40:50 +0000
Message-ID: <>
References: <> <> <000501d0bd74$6ab70660$40251320$> <> <000001d0be30$d8a64f70$89f2ee50$>
In-Reply-To: <000001d0be30$d8a64f70$89f2ee50$>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BY2PR09MB112; 5:JSg0tlaXIrAyaM6EopE8avHVFEfOaZe4O786lAC5p6WxmvJysfioaBqc0K6fw4rkA5JKyZPBCW8ve9QiVSWjA10VgHKzOF0ggciCINrQaQiRxvyYHhqy37kc9ohPOd9jYe6OlVOii2FYSwriZQFZHg==; 24:w0pCmU4yR0+t5TjdddNVOZaTpfogctK4RJpi1x0GEnKlKeME7Flh/h2sPdEVzTWhaPZSvi+rS2WLaKuOzUV7ghhkam/yL0TpZZ5R0Z4eNgk=; 20:ng0P9xyPmXd2kZev6D2QhX2f2TKkwg2v/zR98jFXTuxCnXiCNreC8fMtS34SgC8+ro8EevJuYm4uH6ZyesGKPQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB112;
by2pr09mb112: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB112; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB112;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(13464003)(377454003)(52034003)(51704005)(77156002)(86362001)(2501003)(5003600100002)(19580405001)(33656002)(62966003)(87936001)(2656002)(92566002)(5002640100001)(40100003)(122556002)(93886004)(46102003)(107886002)(5001960100002)(189998001)(5001920100001)(5001770100001)(74316001)(19580395003)(50986999)(66066001)(54356999)(2900100001)(2950100001)(102836002)(106116001)(77096005)(76576001)(99286002)(76176999); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB112;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2015 13:40:50.5444 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB112
Archived-At: <>
Subject: Re: [pkix] Self-issued certificates
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2015 13:40:55 -0000

Welcome to directories.  Please check your common sense at the door.  :)

The fact that the DN in my cert and my user account DN in, say, Active Directory aren't the same isn't a problem because (a) one of my SANs is probably set for AD--e.g., UPN, and (b) most code doesn't force them to be consistent anyway.

In effect, when I load a cert into userCertificate or userSMIMECertificate the directory is binding that cert to that directory identity.  That's technically separate from the identity the CA was binding into the cert because the CA is using a separate directory.  This is a necessary consequence of multiple independent DITs.  Yay!

Are the different names different identities?  It depends.  If you consider only the computer's POV, then yes, they may be separate identities depending on the processing being done.  If you take a meatspace POV, then the answer is "not necessarily."

The only real identity that matters is "keyholder."  If I control the private key bound to any name--DN, SAN, account name, doesn't matter--then I *am* that identity for all computational intents and purposes.  If this doesn't align with meatspace, well, too bad.  The only binding between a key and a bag o' meat is the private key container--this is a big reason why we use smartcards (though under certain conditions even this binding can be invalidated--see Balfanz and Felton, 1999).

-- T

> -----Original Message-----
> From: Erik Andersen []
> Sent: Tuesday, July 14, 2015 7:30 AM
> To: Miller, Timothy J.;
> Subject: SV: [pkix] Self-issued certificates
> Hi Timothy,
> I understand what you are saying and agree that the name is the thing.
> However, the model is not that clear. Attributes may be stored in a directory
> entry either in X.500 or LDAP.
> The X.500 definition is:
> 11.2.1	User certificate attribute
> A user may obtain one or more public-key certificates from one or more CAs.
> The userCertificate attribute type contains the end-entity public-key
> certificates a user has obtained from one or more CAs.
> userCertificate ATTRIBUTE ::= {
>   WITH SYNTAX             Certificate
>   EQUALITY MATCHING RULE  certificateExactMatch
>   ID                      id-at-userCertificate }
> The RFC  4523 defines an equivalent one for LDAP.
> The  object class needed for defining directory entries is:
> 11.1.1	PKI user object class
> The PKI user object class is used in defining entries for objects that may be
> the subject of public-key certificates.
> pkiUser OBJECT-CLASS ::= {
>   SUBCLASS OF  {top}
>   KIND         auxiliary
>   MAY CONTAIN  {userCertificate}
>   ID           id-oc-pkiUser }
> As it an auxiliary object class, it has no associated name form, but it might be
> combined with a structural object class that has a name form different from
> the name form used in any subject name.
> If I get end-entity certificates from different CAs, they may not have the
> same subject name. Are they then different entities? At least they may be
> contained in the same directory entry.
> By the way, I never believed in a single DIT, which made me a apostasy of a
> religious belief at the time. I was closed to being crucified.
> -----Oprindelig meddelelse-----
> Fra: Miller, Timothy J. []
> Sendt: 13 July 2015 16:42
> Til: Erik Andersen;
> Emne: RE: [pkix] Self-issued certificates
> > I am not sure how the first paragraph leads to the second paragraph.
> > Where is that stated in RFC 5280 or X.509?
> It's not stated, it's legacy.  Originally the DN was supposed to be the entity's
> location in the imaginary X.500 directory.  Two different DNs == two different
> locations, and therefore two different entities (because X.500 had a single
> DIT).
> In short, the name--in X.509 and PKIX--*is* the thing.
> This may seem like a philosophical issue but is has real implications.  In access
> control systems, once the user's authenticator is verified, the user's public
> key is discarded and the system uses the name (usually by binding that name
> to a proprietary access credential, e.g., a cookie).  This behavior is common to
> most PK-enabled systems, though the use of the DN is no longer exclusive
> (we have SANs now).  Change the name--even if the same key is bound to it-
> -and you'll lose access.  Try it with a PK-enabled website.
> Similarly with S/MIME--change the relevant name (here the SAN
> rfc822Name), and the email won't verify.
> -- T