Re: [pkix] Self-issued certificates

[王文正 <wcwang@cht.com.tw>]

> While rolling over a self-signed certificate while preserving trust is an interesting problem (to me, anyway, 'cause I'm a fan of key continuity management ;) in general practice your example chain should never occur in TLS/SSL.  Rollover messages are certificate management messages; new-with-old and old-with-new are management artifacts and not intended for path construction.
> 
> I.e., if in your example:
> 
> - Root rollover is due to pending or past root key expiration, then the "old-root" trust anchor is replaced by "new-root;" the chain terminates at "new-root" and new-with-old doesn't appear.

You are right, if the new root cert (new-with-new self-signed cert) has been distributed to relying parties, then the relying parties can directly use the new root cert as the trust anchor and therefore they do not need to build the certification path with the help of the new-with-old self-issued cert anymore. In the situations where relying parties already has the new root cert in their lists of trust anchors, the certification path will be as follows:

new root cert --> intermediate CA cert --> TLS/SSL cert

However, most relying parties rely on COTS such as browsers or operating systems to update their lists of trust anchors. After a root CA performed its key rollover, it will submit its new root cert to "Root Certificate Programs" of all mainstream browsers or operating systems. It might take server months or even more than half year before the new root cert is accepted by "Root Certificate Programs" of all mainstream browsers or operating systems. Before the new root cert is added to the lists of trust anchors of all mainstream browsers and operating systems, TLS/SSL servers would temporarily rely on the new-with-old certificate to assist relying parties to chain the certification path up to the old root cert (i.e., the old trust anchor).

> 
> - Root rollover is due to root key compromise, new-with-old can't be trusted, "old-root" trust anchor must be removed, and the chain is invalid.

Yes, if the old root key was compromised, then both new-with-old and old-with-new are useless. In that situation, the root CA has to generate a new key pair and distribute the new root cert to relying parties as soon as possible. However, if a root CA of which root key had ever been compromised, I doubt that relying parties will trust the CA again.

Wen-Cheng Wang

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.