Re: [pkix] RFC 5280 interpretation of trust anchor certificates
Niklas Matthies <pkix@nmhq.net> Wed, 12 October 2022 02:02 UTC
Return-Path: <pkix@nmhq.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C488EC1524DE for <pkix@ietfa.amsl.com>; Tue, 11 Oct 2022 19:02:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzuKUs98l75g for <pkix@ietfa.amsl.com>; Tue, 11 Oct 2022 19:02:47 -0700 (PDT)
Received: from mail.nmhq.net (mail.nmhq.net [95.129.49.110]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0795C1522AF for <pkix@ietf.org>; Tue, 11 Oct 2022 19:02:46 -0700 (PDT)
Received: from matthies by mail.nmhq.net with local (Exim 4.94.2) (envelope-from <pkix@nmhq.net>) id 1oiR51-001IlS-44 for pkix@ietf.org; Wed, 12 Oct 2022 04:02:43 +0200
Date: Wed, 12 Oct 2022 04:02:43 +0200
From: Niklas Matthies <pkix@nmhq.net>
To: pkix@ietf.org
Message-ID: <Y0YgQ8VsI1cTU27l@nmhq.net>
Mail-Followup-To: pkix@ietf.org
References: <Y0MKZ/LkgnDcOY1z@nmhq.net> <EC0F50DD-6ED8-4C06-917A-EA0F3737BAFB@vigilsec.com> <Y0XRchBA1Lpaclj4@nmhq.net> <DM6PR14MB21868B7C9A9B64867490FCB792229@DM6PR14MB2186.namprd14.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Disposition: inline
In-Reply-To: <DM6PR14MB21868B7C9A9B64867490FCB792229@DM6PR14MB2186.namprd14.prod.outlook.com>
X-Clacks-Overhead: GNU Terry Pratchett
X-Editor: VIM - Vi IMproved 8.2
X-Operating-System: Linux 4.4.268 x86_64
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/djmPgoAjBcohnJcX0HSK5hAlMAA>
Subject: Re: [pkix] RFC 5280 interpretation of trust anchor certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 02:02:50 -0000
Hi Corey, If you look at my first post starting this thread, my question is exactly about the interpretation of that second sentence, because people read it differently. Michael who responded first in this thread interprets it as referring to the certificates of the first sentence, so only self-signed ones. I originally had the same interpretation. That interpretation makes sense, because pretty much everywhere else RFC 5280 only refers to self-signed certificates as representing a trust anchor. For example, in the first paragraph on page 13, there is the sentence "Self-signed certificates are used to convey a public key for use to begin certification paths." That suggests that the RFC assumes that non-self-signed certificates are not used in that way. Now, I'm open to the possibility the second sentence is intended to also apply to non-self-signed certificates. But in that case it is strange that the immediately preceding sentence specifically only mentions self-signed certificates. At the very least, this causes readers to interpret the second sentence in different ways, effectively making it ambiguous. A clarifying erratum would seem appropriate, provided that a consensus can be found about what it is supposed to mean. The other issue with the second sentence is that its requirement level is somewhat unclear, because it uses neither SHALL nor MAY, nor something like "typically" (marking an informative as opposed to a normative character), but just "is used as". Regarding the process of mapping a trusted certificate to the trust anchor information, in the sense of items (1)-(4) above that paragraph, it is unclear what the conformance implications of RFC 5280 are. If, for example, a mapping is applied for a non-self-signed certificate that takes a DN contained in the subjectAltName field as the trusted issuer name instead of (or in addition to) the DN from the subject field, would that mapping violate RFC 5280? Would it when applied to a self-signed certificate? That is unclear. Due to those issues, in my view RFC 5280 cannot be used without further clarification as a normative reference for how to perform such a mapping. Note that I'm not disputing that non-self-signed certificates can be used as trust anchors. What I'm saying is that I don't see that RFC 5280 would unambiguously and prescriptively specify how a non-self-signed certificate is to be mapped to trust anchor information. Niklas On Wed 2022-10-12 at 00:33h, Corey Bonnell wrote on pkix: >Hi Niklas, > >Section 6.1.1 (d) says: >" The trust anchor information may be provided to the path > processing procedure in the form of a self-signed certificate. > When the trust anchor information is provided in the form of a > certificate, the name in the subject field is used as the trusted > issuer name and the contents of the subjectPublicKeyInfo field is > used as the source of the trusted public key algorithm and the > trusted public key." > >The first sentence provides an illustrative example how trust anchor >information can be distributed. The second sentence describes how the name >and public key can be extracted from a certificate. Note that the second >sentence does not say "self-signed certificate", but rather merely says >"certificate". Given this, I believe this sentence is also applicable to >non- self-signed (or even non- self-issued) certificates that are used as >trust anchors. > >Thanks, >Corey > >-----Original Message----- >From: pkix <pkix-bounces@ietf.org> On Behalf Of Niklas Matthies >Sent: Tuesday, October 11, 2022 4:26 PM >To: pkix@ietf.org >Subject: Re: [pkix] RFC 5280 interpretation of trust anchor certificates > >Russ, > >The context of this thread concerns the European Trusted Lists, which are >intended to provide a set of trust anchors for various services. >The service entries in a Trusted List contain trusted certificates, however >it remains unspecified how to map those certificates (plus, potentially, >associated metadata in the service entries) to the specific form of trust >anchor information required as input for the RFC 5280 path validation >algorithm (item (d) on page 76). Most of those certificates are not >self-signed. > >The argument has been made on the ESI mailing list that RCF 5280 actually >does specify how to do that mapping, but in my reading it only does that for >self-signed certificates, if at all. Hence I started this thread to get a >clarification on that point. > >My current conclusion is still that RFC 5280 at best only specifies a >mapping for self-signed certificates. Even for those, it's not clear whether >the use of that specific mapping is mandatory, due to the lack of "shall" or >of other keywords indicating the requirement level. This to me indicates a >technical gap in the ETSI specifications regarding the use of the Trusted >Lists. > >Niklas > > >On Mon 2022-10-10 at 12:13h, Russ Housley wrote on pkix: >>Niklas: >> >>The relying party gets to decide the set of trust anchors that it will >accept. >> >>A very common way to distribute trust anchors is self-signed >>certificates. This provides the public key, the algorithm identifier >>for the public key, and the distinguished name for the trust anchor. >>As noted by others, RFC 5914 defines an alternative format to supply >>the trust anchor public key, the algorithm identifier for the public >>key, and the distinguished name. This information are needed to >>validate certification paths that terminate at the trust anchor. >> >>The relying party can use a self-signed certificate or any other >>certificate or any other source to update their trust anchor store. >>In practice, a self-signed certificate is normally used; the creation >>of a self-signed certificate illustrates an expectation for it to be >>used as a trust anchor. >> >>Russ >> >> >>> On Oct 9, 2022, at 1:52 PM, Niklas Matthies <pkix@nmhq.net> wrote: >>> >>> Dear all, >>> >>> On the ESI (ETSI) mailing list, the question came up whether RFC 5280 >says anything about trust anchors provided in the form of certificates that >are _not_ self-signed. >>> >>> In section 6.1.1, there is the following wording on page 76: >>> >>> The trust anchor information may be provided to the path >>> processing procedure in the form of a self-signed certificate. >>> When the trust anchor information is provided in the form of a >>> certificate, the name in the subject field is used as the trusted >>> issuer name and the contents of the subjectPublicKeyInfo field is >>> used as the source of the trusted public key algorithm and the >>> trusted public key. >>> >>> The first sentence seems to indicate that the case of providing a trust >anchor in the form of a non-self-signed certicate is not considered here. >But the second sentence doesn't repeat the "self-signed" bit, which can be >interpreted as that sentence also applying to non-self-signed certificates. >However, if that is the case, why does the first sentence restrict itself to >specifically self-signed certificates? >>> >>> On page 74 there is also the following wording: >>> When the trust anchor is provided in the form of a self-signed >>> certificate, this self-signed certificate is not included as >part of the prospective certification path. >>> >>> If RFC 5280 also allows the possibility of trust anchors being >>> provided in the form of non-self-signed certificates, then it would seem >that the above restriction would not apply to those, i.e., that they may be >included as part of the prospective certifcation path. However, I don't see >how that would make any sense. >>> >>> All the wording taken together, my conclusion up to now was that RFC 5280 >simply does not consider the possibility that the trust anchor could be >provided in the form of a non-self-signed certificate, and that therefore, >specifications which *do* allow for that possibility (such as in the context >of ETSI trusted lists) have to clarify how that case maps onto what RFC 5280 >expects. >>> >>> If that interpretation is incorrect, that is, if RFC 5280 doesn't >actually care about whether a trust-anchor-representing certificate provided >as input to the path validation algorithm is self-signed or not, then maybe >an erratum is in order? >>> >>> Kind regards, >>> Niklas >>> >>> _______________________________________________ >>> pkix mailing list >>> pkix@ietf.org >>> https://www.ietf.org/mailman/listinfo/pkix >> > >_______________________________________________ >pkix mailing list >pkix@ietf.org >https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] RFC 5280 interpretation of trust ancho… Michael StJohns
- [pkix] RFC 5280 interpretation of trust anchor ce… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Jeffrey Walton
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Michael StJohns
- Re: [pkix] RFC 5280 interpretation of trust ancho… George Michaelson
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Carl Wallace
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Russ Housley
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies
- Re: [pkix] RFC 5280 interpretation of trust ancho… Corey Bonnell
- Re: [pkix] RFC 5280 interpretation of trust ancho… Niklas Matthies