[pkix] Self-issued certificates
Peter Bowen <pzbowen@gmail.com> Sun, 12 July 2015 22:02 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866C31A886F for <pkix@ietfa.amsl.com>; Sun, 12 Jul 2015 15:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.5
X-Spam-Level: **
X-Spam-Status: No, score=2.5 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kR2A4OsixAIV for <pkix@ietfa.amsl.com>; Sun, 12 Jul 2015 15:02:53 -0700 (PDT)
Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AEFB1A886E for <pkix@ietf.org>; Sun, 12 Jul 2015 15:02:53 -0700 (PDT)
Received: by pacan13 with SMTP id an13so4440109pac.1 for <pkix@ietf.org>; Sun, 12 Jul 2015 15:02:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=m22HWBX+a4HDn9JIHSC5jOoKsDJWVFz7NCXA3/Ekz24=; b=RlgjCB+t+A9g3lgX9ZlIGklRCty+5L5UMVEBPQrmzeL2tfm6n2551yY8O1WWBFgETk wMth27AmctYabmTOhDHySxOmd0RSuiZULkMV5cYcYJsB93VoF+9tq5Xk/1rt6E7bAycm Dj1UPTrC5FMYU8yCgfnELiYkqOQXmY1Tzb3SIJlglQ7kAXx+mwIuq0ygAYmBs7mMQ/PO 85aOXX5M+ZUVQ1qwvLvs5QnNFbQkbEd/IloYdEsEULj5gZ94j98aHDBqlYBNEXE765u8 Zc9tUZ9xrAhkUWqTtJbmWwzmvP1rArBRtWtbSD+vLIp98GXy+qKJ5Km/u0iO2KADYC9V s4LA==
MIME-Version: 1.0
X-Received: by 10.68.185.37 with SMTP id ez5mr63505883pbc.74.1436738573130; Sun, 12 Jul 2015 15:02:53 -0700 (PDT)
Received: by 10.70.66.5 with HTTP; Sun, 12 Jul 2015 15:02:53 -0700 (PDT)
Date: Sun, 12 Jul 2015 15:02:53 -0700
Message-ID: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: pkix@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/h2U1JPUedeoN0IhQ3JnsUKPK4II>
Subject: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2015 22:02:54 -0000
I'm trying to make sense of the definition of "self-issued certificates" in RFC 5280 (and X.509) Section 3.2 provides a definition: "Self-issued certificates are CA certificates in which the issuer and subject are the same entity." However section 6.1 says "A certificate is self-issued if the same DN appears in the subject and issuer fields." While it is clear that all certificates with the same DN for subject and issue are self-issued, it is unclear to me whether a certificate with different DNs could be self-issued. Section 6.1 could be giving one example of how a certificate could be self-issued or section 6.1 could be a limiting definition. Consider the following example: Example Trust Services has two different private keys. Each key has a single associated DN: Key0 has DN O=Example Trust Services, OU=Global Trust Anchor Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor There is a CA certificate created with Subject: O=Example Trust Services, OU=Commercial Trust Anchor Subject Public Key: Key1 Issuer: O=Example Trust Services, OU=Global Trust Anchor Signed by Key0 Is this CA certificate considered a self-issued certificate? Thanks, Peter
- [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erwann Abalea
- Re: [pkix] Self-issued certificates Brian Smith
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Carl Wallace
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Peter Gutmann
- Re: [pkix] Self-issued certificates Jeffrey Walton
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正