Re: [pkix] Self-issued certificates
"Erik Andersen" <era@x500.eu> Tue, 14 July 2015 12:30 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FE71A90A4 for <pkix@ietfa.amsl.com>; Tue, 14 Jul 2015 05:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.308
X-Spam-Level:
X-Spam-Status: No, score=0.308 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcG_yUcvIQe4 for <pkix@ietfa.amsl.com>; Tue, 14 Jul 2015 05:30:18 -0700 (PDT)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4717D1AC3F3 for <pkix@ietf.org>; Tue, 14 Jul 2015 05:30:18 -0700 (PDT)
Received: from Morten ([62.44.134.114]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201507141430169619; Tue, 14 Jul 2015 14:30:16 +0200
From: Erik Andersen <era@x500.eu>
To: "'Miller, Timothy J.'" <tmiller@mitre.org>, pkix@ietf.org
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <BY2PR09MB1097FB1563CBA1C7007626CAE9C0@BY2PR09MB109.namprd09.prod.outlook.com> <000501d0bd74$6ab70660$40251320$@x500.eu> <BY2PR09MB10985978D45536DA27003F6AE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
In-Reply-To: <BY2PR09MB10985978D45536DA27003F6AE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
Date: Tue, 14 Jul 2015 14:30:19 +0200
Message-ID: <000001d0be30$d8a64f70$89f2ee50$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgH+f5lfAWVQ3CwBQRcjM6AVsqNw
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/X3iZ0jqubr_8zOkVnspDf5mm_4k>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 12:30:20 -0000
Hi Timothy, I understand what you are saying and agree that the name is the thing. However, the model is not that clear. Attributes may be stored in a directory entry either in X.500 or LDAP. The X.500 definition is: 11.2.1 User certificate attribute A user may obtain one or more public-key certificates from one or more CAs. The userCertificate attribute type contains the end-entity public-key certificates a user has obtained from one or more CAs. userCertificate ATTRIBUTE ::= { WITH SYNTAX Certificate EQUALITY MATCHING RULE certificateExactMatch ID id-at-userCertificate } The RFC 4523 defines an equivalent one for LDAP. The object class needed for defining directory entries is: 11.1.1 PKI user object class The PKI user object class is used in defining entries for objects that may be the subject of public-key certificates. pkiUser OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {userCertificate} ID id-oc-pkiUser } As it an auxiliary object class, it has no associated name form, but it might be combined with a structural object class that has a name form different from the name form used in any subject name. If I get end-entity certificates from different CAs, they may not have the same subject name. Are they then different entities? At least they may be contained in the same directory entry. By the way, I never believed in a single DIT, which made me a apostasy of a religious belief at the time. I was closed to being crucified. -----Oprindelig meddelelse----- Fra: Miller, Timothy J. [mailto:tmiller@mitre.org] Sendt: 13 July 2015 16:42 Til: Erik Andersen; pkix@ietf.org Emne: RE: [pkix] Self-issued certificates > I am not sure how the first paragraph leads to the second paragraph. > Where is that stated in RFC 5280 or X.509? It's not stated, it's legacy. Originally the DN was supposed to be the entity's location in the imaginary X.500 directory. Two different DNs == two different locations, and therefore two different entities (because X.500 had a single DIT). In short, the name--in X.509 and PKIX--*is* the thing. This may seem like a philosophical issue but is has real implications. In access control systems, once the user's authenticator is verified, the user's public key is discarded and the system uses the name (usually by binding that name to a proprietary access credential, e.g., a cookie). This behavior is common to most PK-enabled systems, though the use of the DN is no longer exclusive (we have SANs now). Change the name--even if the same key is bound to it--and you'll lose access. Try it with a PK-enabled website. Similarly with S/MIME--change the relevant name (here the SAN rfc822Name), and the email won't verify. -- T
- [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erwann Abalea
- Re: [pkix] Self-issued certificates Brian Smith
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Carl Wallace
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Peter Gutmann
- Re: [pkix] Self-issued certificates Jeffrey Walton
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正