Re: [pkix] Self-issued certificates

Erwann Abalea <eabalea@gmail.com> Mon, 13 July 2015 01:52 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03F61ACD45 for <pkix@ietfa.amsl.com>; Sun, 12 Jul 2015 18:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.501
X-Spam-Level: **
X-Spam-Status: No, score=2.501 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Y5jzUf4nQwc for <pkix@ietfa.amsl.com>; Sun, 12 Jul 2015 18:52:17 -0700 (PDT)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E601ACD41 for <pkix@ietf.org>; Sun, 12 Jul 2015 18:52:17 -0700 (PDT)
Received: by qgy5 with SMTP id 5so14793538qgy.3 for <pkix@ietf.org>; Sun, 12 Jul 2015 18:52:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=LhBLHpkmvi3wVXIALPpBZ6EKJgIQgfkHi52NtB/6fAY=; b=MbBCwgEi7FLhixEsXrB/B0mwFXufqcpUtSJ028AXqWWb3Q9jKkKdrtksCyIjnVez+S ymBX1az03V4kyo+iA9T3DjqgUx87Fe+sn8GGXONbHrNb7rrUkK6yLruzHcmc/MiuhcxV gPop0mXj7pAnYE6A+hBeM0FsJjR1qrlx15xS7LAsqnOpfuR3PC8mcU4No3vuyRMXAwOb zJwvyi8F/mFpGwOUIJ4qK6azkmR1QkK/xNDyEsOn8+JniLFDcaaTKY7YCqxE7qe/5bb6 KBn8Fe2cLTf1hUBhQIATTCHef1NrhBKZxyDWV3yLRbAoLEp322J4ZOn/Cj/YXPp/fSiz +tIg==
MIME-Version: 1.0
X-Received: by 10.140.239.136 with SMTP id k130mr52405437qhc.90.1436752336312; Sun, 12 Jul 2015 18:52:16 -0700 (PDT)
Received: by 10.140.94.67 with HTTP; Sun, 12 Jul 2015 18:52:16 -0700 (PDT)
In-Reply-To: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
Date: Mon, 13 Jul 2015 03:52:16 +0200
Message-ID: <CA+i=0E4GXXiPSn1vtzifYgehhdxNDsCJma=A1qUghBotof3VAg@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: Peter Bowen <pzbowen@gmail.com>, "<pkix@ietf.org>" <pkix@ietf.org>
Content-Type: multipart/alternative; boundary=001a11359256a2dee3051ab7f878
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/aYONLR6MmCLA6VojaB-wD7fDwgo>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 01:52:18 -0000

Bonsoir Peter,

This isn't a self-issued certificate in X.509/RFC5280. It's a subordinate
CA. Section 6.1 clearly defines how one knows if issuer and subject are the
same entity.

Entities in X.509 are purely technical; your company named "Example Trust
Services" doesn't exist in this standard. If it existed, there should be a
way to express if it's the same entity when it's located in the US or in MY
(think about Digicert's certificates).

You're "free" to change the rule behind section 6.1 to match your idea of
what an entity is, for your own set of applications, but it will be
incompatible with the rest of the world. This has been done with electronic
passports (BAC), where an entity is defined by the countryCode alone when
validating CRLs, and the complete DN when validating a certificate chain.

Le lundi 13 juillet 2015, Peter Bowen <pzbowen@gmail.com> a écrit :

> I'm trying to make sense of the definition of "self-issued
> certificates" in RFC 5280 (and X.509)
>
> Section 3.2 provides a definition: "Self-issued certificates are CA
> certificates in which the issuer and subject are the same entity."
> However section 6.1 says "A certificate is self-issued if the same DN
> appears in the subject and issuer fields."
>
> While it is clear that all certificates with the same DN for subject
> and issue are self-issued, it is unclear to me whether a certificate
> with different DNs could be self-issued.  Section 6.1 could be giving
> one example of how a certificate could be self-issued or section 6.1
> could be a limiting definition.
>
> Consider the following example:
> Example Trust Services has two different private keys.  Each key has a
> single associated DN:
> Key0 has DN O=Example Trust Services, OU=Global Trust Anchor
> Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor
>
> There is a CA certificate created with
> Subject: O=Example Trust Services, OU=Commercial Trust Anchor
> Subject Public Key: Key1
> Issuer: O=Example Trust Services, OU=Global Trust Anchor
> Signed by Key0
>
> Is this CA certificate considered a self-issued certificate?
>
> Thanks,
> Peter
>


-- 
Erwann.