Re: [pkix] Self-issued certificates

Peter Bowen <> Mon, 13 July 2015 04:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 11F0C1ACD92 for <>; Sun, 12 Jul 2015 21:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uWb0dZfaKAC0 for <>; Sun, 12 Jul 2015 21:46:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CA8941ACD8D for <>; Sun, 12 Jul 2015 21:46:09 -0700 (PDT)
Received: by pdbqm3 with SMTP id qm3so73308713pdb.0 for <>; Sun, 12 Jul 2015 21:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=0LnfPx7unThZLDZJUPLkpL0i+iNkWTADHhx4RCpM6wY=; b=kfX2BmpY3Qt2lk7+Rnnd+coudnlGbhur3Y4FLSDqSZRjXYejkZpJprmreX0GpQDft0 qxHZuJDNdvygB6iNv3C7M+ttyGkhq3oJ//pSSV/UkYRB1E+QCpY52sEWb7qiidRRUOy0 pAvU6MOhyBb7biHzVXWSamL68UO2YHqhD3f+pcdx+yLW0Tl+JYzqd0tWUlpTmVdBwRaq wgthpYDH6w8M/OnEwtTFKrAUPvKYneUkG9d0JRsqPtw2CI3j6M9NMtlj7cT3Z12Yu/QW xcNwvjpXDccYaSzalTLwHL5YkR/ZTHWDYv0yGxzo9BY2ymZc3sBNC1FJ0PhuprONnIiv y8dQ==
MIME-Version: 1.0
X-Received: by with SMTP id zo3mr65074429pbb.123.1436762769563; Sun, 12 Jul 2015 21:46:09 -0700 (PDT)
Received: by with HTTP; Sun, 12 Jul 2015 21:46:09 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Sun, 12 Jul 2015 21:46:09 -0700
Message-ID: <>
From: Peter Bowen <>
To: Erwann Abalea <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "<>" <>
Subject: Re: [pkix] Self-issued certificates
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jul 2015 04:46:12 -0000

On Sun, Jul 12, 2015 at 6:52 PM, Erwann Abalea <> wrote:
> This isn't a self-issued certificate in X.509/RFC5280. It's a subordinate
> CA. Section 6.1 clearly defines how one knows if issuer and subject are the
> same entity.
> Entities in X.509 are purely technical; your company named "Example Trust
> Services" doesn't exist in this standard. If it existed, there should be a
> way to express if it's the same entity when it's located in the US or in MY
> (think about Digicert's certificates).

Merci Erwann.  Taking this one step further, X.509 has the following

authority: An entity, responsible for the issuance of certificates.
Two types are defined in this
[document]; a certification authority which issues public-key
certificates and an attribute
authority which issues attribute certificates

certification authority (CA): An authority trusted by one or more
users to create and assign public-key

Do I take it correctly that a single business entity (e.g. société
anonyme or SARL) may operate multiple certificate authorities and that
the term "entity" in the above definition does not refer to the
business entity rather the existence of each CA as being independent,
separate, and self-contained?