Re: [pkix] Self-issued certificates

"Erik Andersen" <era@x500.eu> Mon, 13 July 2015 07:30 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E521AD16B for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 00:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.909
X-Spam-Level: **
X-Spam-Status: No, score=2.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EV_Wy392Dbfn for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 00:30:24 -0700 (PDT)
Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0FDB1AD151 for <pkix@ietf.org>; Mon, 13 Jul 2015 00:30:23 -0700 (PDT)
Received: from Morten ([62.44.135.11]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201507130930206382 for <pkix@ietf.org>; Mon, 13 Jul 2015 09:30:20 +0200
From: Erik Andersen <era@x500.eu>
To: pkix@ietf.org
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
In-Reply-To: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
Date: Mon, 13 Jul 2015 09:30:23 +0200
Message-ID: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTqA6TvTw
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/XrXU__u0Z-nEDFlTvmv0yQgtoAM>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 07:30:26 -0000

Hi Peter,

It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509
definition is:

3.5.62	self-issued certificate: A CA certificate where the issuer and the
subject are the same CA. A CA might use self-issued certificates, for
example, during a key rollover operation to provide trust from the old key
to the new key.

The problem you are facing is that the term entity is not clearly defined.
Is a CA an entity or is CA is specific role for an entity among other roles
for the same entity?

The RFC 5280 definition seems to assume that a CA is an entity, and the two
CA you mention are different entities, while X.509 does not necessarily make
that assumption.

Kind regards,

Erik Andersen

-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Peter Bowen
Sendt: 13 July 2015 00:03
Til: pkix@ietf.org
Emne: [pkix] Self-issued certificates

I'm trying to make sense of the definition of "self-issued certificates" in
RFC 5280 (and X.509)

Section 3.2 provides a definition: "Self-issued certificates are CA
certificates in which the issuer and subject are the same entity."
However section 6.1 says "A certificate is self-issued if the same DN
appears in the subject and issuer fields."

While it is clear that all certificates with the same DN for subject and
issue are self-issued, it is unclear to me whether a certificate with
different DNs could be self-issued.  Section 6.1 could be giving one example
of how a certificate could be self-issued or section 6.1 could be a limiting
definition.

Consider the following example:
Example Trust Services has two different private keys.  Each key has a
single associated DN:
Key0 has DN O=Example Trust Services, OU=Global Trust Anchor
Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor

There is a CA certificate created with
Subject: O=Example Trust Services, OU=Commercial Trust Anchor Subject Public
Key: Key1
Issuer: O=Example Trust Services, OU=Global Trust Anchor Signed by Key0

Is this CA certificate considered a self-issued certificate?

Thanks,
Peter

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix