IETF Logo Mail Archive

Re: [pkix] Self-issued certificates

"Erik Andersen" <era@x500.eu> Mon, 13 July 2015 14:01 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFA0D1B2B0D for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 07:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.909
X-Spam-Level: **
X-Spam-Status: No, score=2.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLCkd5Z3xC2T for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 07:01:31 -0700 (PDT)
Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A56CB1B2B0C for <pkix@ietf.org>; Mon, 13 Jul 2015 07:01:30 -0700 (PDT)
Received: from Morten ([62.44.135.11]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201507131601269325 for <pkix@ietf.org>; Mon, 13 Jul 2015 16:01:26 +0200
From: Erik Andersen <era@x500.eu>
To: pkix@ietf.org
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com> <BY2PR09MB1097FB1563CBA1C7007626CAE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
In-Reply-To: <BY2PR09MB1097FB1563CBA1C7007626CAE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
Date: Mon, 13 Jul 2015 16:01:29 +0200
Message-ID: <000501d0bd74$6ab70660$40251320$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgH+f5lfoCrLFiA=
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/hAwuhmYFEulIUfQv5X8bL9XX9U8>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 14:01:33 -0000

Hi Timothy

I am not sure how the first paragraph leads to the second paragraph. Where
is that stated in RFC 5280 or X.509?

Regards

Erik

-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Miller, Timothy J.
Sendt: 13 July 2015 14:25
Til: Peter Bowen; pkix@ietf.org
Emne: Re: [pkix] Self-issued certificates

In X.509 (and PKIX) the name *is* the identity.  X.509 (and PKIX) binds keys
to names; the key can change but the name remains invariant.  In contrast,
SPKI/SDSI binds names to keys; the key remains invariant, but the name can
change.

So if it has a different DN, it's not the same entity.  As a result there's
no ambiguity in the RFC.

It is possible to bind the same key to different names.  Nothing stops you
from presenting the same key to multiple CAs and claiming different names.
If your goal is pseudonymity, though, I wouldn't recommend this.  :)

It's also possible to use keys from X.509 certificates as entities and
ignore the name--e.g., key continuity management (a.k.a. certificate
pinning)--but this is outside the spec.

-- T 

> -----Original Message-----
> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Peter Bowen
> Sent: Sunday, July 12, 2015 5:03 PM
> To: pkix@ietf.org
> Subject: [pkix] Self-issued certificates
> 
> I'm trying to make sense of the definition of "self-issued 
> certificates" in RFC
> 5280 (and X.509)
> 
> Section 3.2 provides a definition: "Self-issued certificates are CA 
> certificates in which the issuer and subject are the same entity."
> However section 6.1 says "A certificate is self-issued if the same DN 
> appears in the subject and issuer fields."
> 
> While it is clear that all certificates with the same DN for subject 
> and issue are self-issued, it is unclear to me whether a certificate 
> with different DNs could be self-issued.  Section 6.1 could be giving 
> one example of how a certificate could be self-issued or section 6.1 could
be a limiting definition.
> 
> Consider the following example:
> Example Trust Services has two different private keys.  Each key has a 
> single associated DN:
> Key0 has DN O=Example Trust Services, OU=Global Trust Anchor
> Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor
> 
> There is a CA certificate created with
> Subject: O=Example Trust Services, OU=Commercial Trust Anchor Subject 
> Public Key: Key1
> Issuer: O=Example Trust Services, OU=Global Trust Anchor Signed by 
> Key0
> 
> Is this CA certificate considered a self-issued certificate?
> 
> Thanks,
> Peter
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email