Re: [pkix] Self-issued certificates

"Miller, Timothy J." <tmiller@mitre.org> Fri, 17 July 2015 15:36 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E688A1A0025 for <pkix@ietfa.amsl.com>; Fri, 17 Jul 2015 08:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLlp-_9zJbXx for <pkix@ietfa.amsl.com>; Fri, 17 Jul 2015 08:36:43 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id AE6681A0024 for <pkix@ietf.org>; Fri, 17 Jul 2015 08:36:43 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 068E18BC356; Fri, 17 Jul 2015 11:36:43 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id ED53B8BC348; Fri, 17 Jul 2015 11:36:42 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Fri, 17 Jul 2015 11:36:42 -0400
Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Fri, 17 Jul 2015 11:36:42 -0400
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.213.14; Fri, 17 Jul 2015 15:36:41 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Fri, 17 Jul 2015 15:36:41 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: =?utf-8?B?546L5paH5q2j?= <wcwang@cht.com.tw>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uAgAFHIYCAAAi2AIAAESSAgAAI8gCAAXawgIAABqew
Date: Fri, 17 Jul 2015 15:36:41 +0000
Message-ID: <BY2PR09MB109017D1684733D234E23BDAE980@BY2PR09MB109.namprd09.prod.outlook.com>
References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw>
In-Reply-To: <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cht.com.tw; dkim=none (message not signed) header.d=none;
x-originating-ip: [192.160.51.88]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:A0UOWTtfBV3102Czpnzfa2eApH5J8SjmY0fHeN0vDDnYr2LYV/qqyh4nrXF+TZymA9+ql6QcrftMB8qsGQ6aBEqEKB6fa0X5wbYLmwrOSkyFwIchUc8Qyk1sig4N1n6GC2WFT3eUQ6DfKvyzUimpHA==; 24:kMsOvG8GJmHg1lMWEO/+tKl0FbHksuuFdvkALL1Qh6KmGARFWu3EIripP4QfAvIWbuMBtW1uHkMxhlpZ6t4jewwBZVLuolJFQLYOXODsYnI=; 20:EFQGxnidl1bQY7+RQGdfMsm06BCCBMZMYVBDeJwxbgykvJJ+z0IJjEu3+hiTiDUR/GtPMKU+8kNg5aLxRH8tSw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109;
by2pr09mb109: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BY2PR09MB10940963B4C8FBB004352BCAE980@BY2PR09MB109.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109;
x-forefront-prvs: 06400060E1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(106116001)(2656002)(77156002)(87936001)(86362001)(122556002)(99286002)(5003600100002)(5002640100001)(33656002)(62966003)(46102003)(77096005)(189998001)(5001960100002)(2501003)(5001770100001)(76576001)(102836002)(5001920100001)(2950100001)(92566002)(54356999)(74316001)(76176999)(50986999)(2900100001)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2015 15:36:41.0724 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/biVcUbKWdxyf0p3T4FJClRaQt6w>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 15:36:45 -0000

> In a case where the end-entity certificate is a SSL certificate, after the root
> key rollover, the certification path will be as follows:
 
> old root self-signed cert --> new-with-old self-issued cert --> subordinate CA
> cert --> SSL cert

While rolling over a self-signed certificate while preserving trust is an interesting problem (to me, anyway, 'cause I'm a fan of key continuity management ;) in general practice your example chain should never occur in TLS/SSL.  Rollover messages are certificate management messages; new-with-old and old-with-new are management artifacts and not intended for path construction.

I.e., if in your example:

- Root rollover is due to pending or past root key expiration, then the "old-root" trust anchor is replaced by "new-root;" the chain terminates at "new-root" and new-with-old doesn't appear.

- Root rollover is due to root key compromise, new-with-old can't be trusted, "old-root" trust anchor must be removed, and the chain is invalid.   

-- T