IETF Logo Mail Archive

Re: RFC 3280 bug? - Special processing for self issued certificates

Steve Hanna <shanna@funk.com> Mon, 30 August 2004 16:21 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05523 for <pkix-archive@lists.ietf.org>; Mon, 30 Aug 2004 12:21:50 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7UF75gm045438; Mon, 30 Aug 2004 08:07:05 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7UF754a045437; Mon, 30 Aug 2004 08:07:05 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from trilmail.funk.com (26-71-51-66.reonbroadband.com [66.51.71.26]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7UF739E045412 for <ietf-pkix@imc.org>; Mon, 30 Aug 2004 08:07:04 -0700 (PDT) (envelope-from shanna@funk.com)
Received: from [127.0.0.1] (HANNAXP [192.168.21.23]) by trilmail.funk.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id RX8MWA8S; Mon, 30 Aug 2004 11:06:56 -0400
Message-ID: <41334294.6040903@funk.com>
Date: Mon, 30 Aug 2004 11:07:00 -0400
From: Steve Hanna <shanna@funk.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Stefan Santesson <stefans@microsoft.com>
CC: Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org
Subject: Re: RFC 3280 bug? - Special processing for self issued certificates
References: <0C3042E92D8A714783E2C44AB9936E1D01325D6F@EUR-MSG-03.europe.corp.microsoft.com>
In-Reply-To: <0C3042E92D8A714783E2C44AB9936E1D01325D6F@EUR-MSG-03.europe.corp.microsoft.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Stefan,

You wrote:
 > For all valid paths to a self-issued certificate, the self-issued cert
 > will be preceded by a valid intermediary CA certificate with a
 > matching subject name. Lets call that the ICA cert.
 >
 > It seams reasonable to me that that IF ICA has a valid subject name
 > then that name would be OK also for the rollover cert, regardless of
 > whether it is used as an intermediary cert or validated as target
 > cert.

I will admit I had to check the archives on this one.
Your argument seemed compelling at first. But the email
below explains the problem. In a nutshell, the self-issued
certificate can contain a *subjectAltName* that is not
permitted by the name constraints and not contained in
the ICA cert.

I hope that explains why this requirement is needed.

Thanks,

Steve

-------- Original Message --------
Date: Fri, 04 May 2001 12:44:34 -0400
From: Steve Hanna <steve.hanna@sun.com>
To: PKIX List <ietf-pkix@imc.org>
Subject: Ignoring name constraints with self-issued certs

Regretfully, I must raise another issue with son-of-2459. In section
4.2.1.11 of draft-ietf-pkix-new-part1-06.txt, it says:

    Name constraints are not applied to certificates whose issuer and
    subject are identical.  (This could prevent CAs that use name
    constraints from issuing self-signed certificates to implement key
    rollover.)

This statement is consistent with the validation algorithm in section
6.1, which says:

    A certificate is termed self-issued if the DNs that appear in the
    subject and issuer fields are identical and are not empty.  In
    general, the issuer and subject of the certificates that make up a
    path are different for each certificate.  However, a CA may issue a
    certificate to itself to support key rollover or changes in
    certificate policies.  These self-issued certificates are not
    counted when evaluating path length or name constraints.

However, these statements (and the corresponding text in the validation
algorithm, steps (b) and (c) of section 6.1.3) are not consistent with
the text in X.509(2000), which says (in step g of section 10.5.1) "If
the certificate is not an intermediate self-issued certificate, check
that the subject name is within the name-space given by the value of
permitted-subtrees and is not within the name-space given by the value
of excluded-subtrees."

Note the word *intermediate* in X.509(2000). If a self-issued
certificate is the last certificate in the path, the name constraints
check MUST be performed. Otherwise, a security hole is opened up.
Consider the following chain of 2 certificates:

Certificate 1:
  Issuer:  o=trusty, c=us
  Subject: o=shady, c=us
  Basic Constraints:
   cA=true
  Name Constraints:
   Permitted:
    directoryName: o=shady, c=us
    rfc822Name: .shady.com

Certificate 2:
  Issuer:  o=shady, c=us
  Subject: o=shady, c=us
  SubjectAltNames:
   rfc822Name: joe@partner.com

If o=trusty, c=us is one of the trust anchors (and the certificate
signatures verify), this chain is valid according to son-of-2459. It is
not valid according to X.509(2000). I think you will agree that the
behavior described in X.509(2000) is correct. Otherwise, self-issued
certificates can be used to completely bypass the effects of name
constraints.

Therefore, I suggest that section 4.2.1.11 of
draft-ietf-pkix-new-part1-06.txt be modified to say:

    Name constraints are not applied to certificates whose issuer and
    subject are identical (unless the certificate is the final
    certificate in the path).  (This could prevent CAs that use name
    constraints from issuing self-signed certificates to implement key
    rollover.)

We should also modify the last sentence of the paragraph in section 6.1
that begins "A certificate is termed self-issued ..." (listed in full
above) to "These self-issued certificates are not counted when
evaluating path length. Name constraints are only applied to a
self-issued certificate if it is the final certificate in the path."

I also suggest that the start of steps (b) and (c) in section 6.1.3 be
changed to read:

       (b) If certificate i is self-issued and it is not the final
       certificate in the path, skip this step for certificate i.
       Otherwise, verify that the subject name is within one of the
       permitted_subtrees for X.500 distinguished names, and verify
       that each of the alternative names in the subjectAltName
       extension (critical or non-critical) is within one of the
       permitted_subtrees for that name type.

       (c) If certificate i is self-issued and it is not the final
       certificate in the path, skip this step for certificate i.
       Otherwise, verify that the subject name is not within one of the
       excluded_subtrees for X.500 distinguished names, and verify that
       each of the alternative names in the subjectAltName extension
       (critical or non-critical) is not within one of the
       excluded_subtrees for that name type.

Comments?

Steve

v2.23.0 | Report a Bug | By Email