IETF Logo Mail Archive

Re: [pkix] Self-issued certificates

"Erik Andersen" <era@x500.eu> Tue, 14 July 2015 12:30 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FE71A90A4 for <pkix@ietfa.amsl.com>; Tue, 14 Jul 2015 05:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.308
X-Spam-Level:
X-Spam-Status: No, score=0.308 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcG_yUcvIQe4 for <pkix@ietfa.amsl.com>; Tue, 14 Jul 2015 05:30:18 -0700 (PDT)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4717D1AC3F3 for <pkix@ietf.org>; Tue, 14 Jul 2015 05:30:18 -0700 (PDT)
Received: from Morten ([62.44.134.114]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201507141430169619; Tue, 14 Jul 2015 14:30:16 +0200
From: Erik Andersen <era@x500.eu>
To: "'Miller, Timothy J.'" <tmiller@mitre.org>, pkix@ietf.org
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <BY2PR09MB1097FB1563CBA1C7007626CAE9C0@BY2PR09MB109.namprd09.prod.outlook.com> <000501d0bd74$6ab70660$40251320$@x500.eu> <BY2PR09MB10985978D45536DA27003F6AE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
In-Reply-To: <BY2PR09MB10985978D45536DA27003F6AE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
Date: Tue, 14 Jul 2015 14:30:19 +0200
Message-ID: <000001d0be30$d8a64f70$89f2ee50$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgH+f5lfAWVQ3CwBQRcjM6AVsqNw
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/X3iZ0jqubr_8zOkVnspDf5mm_4k>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 12:30:20 -0000

Hi Timothy,

I understand what you are saying and agree that the name is the thing.
However, the model is not that clear. Attributes may be stored in a
directory entry either in X.500 or LDAP.

The X.500 definition is:

11.2.1	User certificate attribute
A user may obtain one or more public-key certificates from one or more CAs.
The userCertificate attribute type contains the end-entity public-key
certificates a user has obtained from one or more CAs.

userCertificate ATTRIBUTE ::= {
  WITH SYNTAX             Certificate
  EQUALITY MATCHING RULE  certificateExactMatch
  ID                      id-at-userCertificate }

The RFC  4523 defines an equivalent one for LDAP. 

The  object class needed for defining directory entries is:

11.1.1	PKI user object class
The PKI user object class is used in defining entries for objects that may
be the subject of public-key certificates.

pkiUser OBJECT-CLASS ::= {
  SUBCLASS OF  {top}
  KIND         auxiliary
  MAY CONTAIN  {userCertificate}
  ID           id-oc-pkiUser }

As it an auxiliary object class, it has no associated name form, but it
might be combined with a structural object class that has a name form
different from the name form used in any subject name.

If I get end-entity certificates from different CAs, they may not have the
same subject name. Are they then different entities? At least they may be
contained in the same directory entry.

By the way, I never believed in a single DIT, which made me a apostasy of a
religious belief at the time. I was closed to being crucified.

-----Oprindelig meddelelse-----
Fra: Miller, Timothy J. [mailto:tmiller@mitre.org] 
Sendt: 13 July 2015 16:42
Til: Erik Andersen; pkix@ietf.org
Emne: RE: [pkix] Self-issued certificates

> I am not sure how the first paragraph leads to the second paragraph. 
> Where is that stated in RFC 5280 or X.509?

It's not stated, it's legacy.  Originally the DN was supposed to be the
entity's location in the imaginary X.500 directory.  Two different DNs ==
two different locations, and therefore two different entities (because X.500
had a single DIT).  

In short, the name--in X.509 and PKIX--*is* the thing.  

This may seem like a philosophical issue but is has real implications.  In
access control systems, once the user's authenticator is verified, the
user's public key is discarded and the system uses the name (usually by
binding that name to a proprietary access credential, e.g., a cookie).  This
behavior is common to most PK-enabled systems, though the use of the DN is
no longer exclusive (we have SANs now).  Change the name--even if the same
key is bound to it--and you'll lose access.  Try it with a PK-enabled
website.  

Similarly with S/MIME--change the relevant name (here the SAN rfc822Name),
and the email won't verify.

-- T

v2.23.0 | Report a Bug | By Email