Re: [pkix] RFC 5280 interpretation of trust anchor certificates
Niklas Matthies <pkix@nmhq.net> Mon, 10 October 2022 03:20 UTC
Return-Path: <pkix@nmhq.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9F75C14F735 for <pkix@ietfa.amsl.com>; Sun, 9 Oct 2022 20:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NwXl5b2RlCBv for <pkix@ietfa.amsl.com>; Sun, 9 Oct 2022 20:20:52 -0700 (PDT)
Received: from mail.nmhq.net (mail.nmhq.net [95.129.49.110]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D43C14F72C for <pkix@ietf.org>; Sun, 9 Oct 2022 20:20:51 -0700 (PDT)
Received: from matthies by mail.nmhq.net with local (Exim 4.94.2) (envelope-from <pkix@nmhq.net>) id 1ohjLU-0019pS-I5 for pkix@ietf.org; Mon, 10 Oct 2022 05:20:48 +0200
Date: Mon, 10 Oct 2022 05:20:48 +0200
From: Niklas Matthies <pkix@nmhq.net>
To: pkix@ietf.org
Message-ID: <Y0OPkA9g+1LFRqmN@nmhq.net>
Mail-Followup-To: pkix@ietf.org
References: <Y0MKZ/LkgnDcOY1z@nmhq.net> <182e19f5-a630-7830-3011-0ed9fc62ea81@nthpermutation.com> <Y0MpC50ARNV8QhB0@nmhq.net> <241fd8ce-e765-c7d3-bd01-207c003f45d5@nthpermutation.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <241fd8ce-e765-c7d3-bd01-207c003f45d5@nthpermutation.com>
X-Clacks-Overhead: GNU Terry Pratchett
X-Editor: VIM - Vi IMproved 8.2
X-Operating-System: Linux 4.4.268 x86_64
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/YkfsJAGb3ySj_168vT3Ij03phqo>
Subject: Re: [pkix] RFC 5280 interpretation of trust anchor certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 03:20:53 -0000
On Sun 2022-10-09 at 21:17h, Michael StJohns wrote on pkix: >On 10/9/2022 4:03 PM, Niklas Matthies wrote: : >>So, if I understand correctly, the intent is that the second >>sentence also only applies to self-signed certificates. Hence, the >>specification given by the second sentence of how to reduce a >>certificate to a "plain" trust anchor is, strictly speaking, only >>applicable to self-signed certificates, as far as RFC 5280 is >>concerned. >> >> >That's not quite what I said or meant. What I meant was there was no >reason to include "self-signed" in the second sentence because it was >implied that we were talking about the same certificate. Some readers take the second sentence to be intended to apply to any certificate, not just self-signed ones. That's what made me start this thread, because there were different readings. So "no reason" is relative, because clearly people interpret the wording in different ways due to the omission of "self-signed" in the second sentence. >In any event, you're going to be happiest if you stop reading >"self-signed certificate" and read "trust anchor information in >whatever form provided". "... trust anchor information may be >provided ... in the form of a self-signed certificate..." does not >prevent the provision of the trust anchor information (d)1,2,3,4 in >another format. Well. RFC 5280 specifically describes how one should go about to determine the trust anchor information from a self-signed certificate, presumably because it might not be obvious how to do so. The way it is written also suggests that it is the only allowable way to interpret a self-signed certificate as trust anchor information, e.g. one does not (say) take a DN from the subjectAltName as the trusted issuer name. The RFC doesn't say "one way to use a self-signed certificate as a trust anchor is to do x", instead it says (paraphrased) "it is done this way" (though without SHALL). So, given that the way to interpret a self-signed certificate as trust anchor requires explanation, and that a specific way is presented as *the* apparantly only admissible way, it is only natural to have doubts regarding non-self-signed certificates, because why would the description not include them if the same procedure was admissible for those? Maybe the procedure is different for non-self-signed certificates, or not applicable at all for some reason? It is not obvious, prima facie. : >>Yes, that's clear to me. My point is, if another specification (ETSI >>specifications, in this case) refers to RFC 5280 for path validation >>using trust anchors in the form of non-self-signed certificates, >>then that specification would have to specify how to map >>non-self-signed certificates to trust anchors as understood by RFC >>5280, because RFC 5280 only addresses self-signed certificates. > >It does not. That self same section you quote just suggests >self-signed certificates as one form of trust anchor info and actually >lists what the trust anchor info needs to consist of. My point is that if you have a certificate that you want to use as a trust anchor, you need to apply a mapping from the certificate to the trust anchor information. That mapping is reasonably straightforward in principle, but conceivably there might be important considerations depending on the type and content of the certificate. The fact that RFC 5280 restricts its description of such a mapping to self-signed certificates could be taken as an indication that such considerations exist. Therefore, in the context of a technical specification that specifically refers to RFC 5280 for the use of trust anchors provided in the form of a certificate (which is the case with ETSI), and that wants you to apply RFC 5280 with potential trust anchor certificates that may or may not be self-signed, at least some note would be in order to clarify that the restriction of RFC 5280's description to self-signed certificates is to be taken as immaterial, and that this mapping is the one to apply to the certificates in question, whether self-signed or not. In programming terms, it's like if RFC 5280 defines a validation function taking either a SelfSignedCertficate or a PlainTrustAnchor, but the other specification says "call the RFC 5280 validation function with the Certificate value you have", and the result is a type mismatch. (This is what I mean by the "disconnect".) You need *something* that specifies that you are expected to first convert your Certificate to a PlainTrustAnchor, presumably as described in RFC 5280 for self-signed certificates, and that there are no further strings attached to that conversion (which otherwise might conceivably be the case). >>Specifying that mapping is trivial, of course (it's the same as for >>self-signed certificates), but without specifying it there is a >>formal disconnect between the two specifications. >> >I'm actually surprised that RFC5914 isn't tagged as updating 5280. I think RFC 5914 is just intended as a data format specification, and is not intended to change anything about RFC 5280. At least that's how I've always interpreted it. >I wouldn't actually say "disconnect" as Section 6.1.1 bullet (d) just >says "trust anchor information" and then notes that a self-signed >certificate is one form. The question that immediately comes up when reading that part is "why self-signed certificates specifically?". If there is a need for RFC 5280 to tell you that self-signed certificates are a valid form of specifying trust anchors, one would assume that it would also want to tell you that non-self-signed certifcates are a valid form as well, assuming that indeed that's the case. The fact that it does not do that suggests to the reader that maybe they are not a valid form for some reason. : >>Just to clarify: There is no particular reason why RFC 5280 should >>restrict certificate-represented trust anchors to self-signed >>certificates, but it just happens to do so for historical reasons? > >It goes back before that I think to X.509 v1. A self-signed >certificate was a well defined ASN1 object that could be used to carry >trust information. It could also be used to carry the information >needed to enroll a public key in a certificate. That might explain how the current wording came about. >In any event, I believe you're mis-reading 5280 as restricting trust >anchor information to X509 self-signed certificates. It does not. I'm not reading RFC 5280 as disallowing non-self-signed certificates, but as being silent on how, if at all, they are used to represent trust anchor information. Therefore any specification that wants to use them to provide trust anchor information needs to clarify how, in my view, because RFC 5280 doesn't. Niklas
- Re: [pkix] RFC 5280 interpretation of trust ancho… Michael StJohns
- [pkix] RFC 5280 interpretation of trust anchor ce… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Jeffrey Walton
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Michael StJohns
- Re: [pkix] RFC 5280 interpretation of trust ancho… George Michaelson
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Carl Wallace
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Russ Housley
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Corey Bonnell
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies