Re: [pkix] Self-issued certificates

"Miller, Timothy J." <tmiller@mitre.org> Mon, 20 July 2015 12:39 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DA31A8716 for <pkix@ietfa.amsl.com>; Mon, 20 Jul 2015 05:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljwU-UOab494 for <pkix@ietfa.amsl.com>; Mon, 20 Jul 2015 05:39:31 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id B5D871A870A for <pkix@ietf.org>; Mon, 20 Jul 2015 05:39:31 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 566EF6C0C9C; Mon, 20 Jul 2015 08:39:31 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 5A46F6C0CC2; Mon, 20 Jul 2015 08:39:28 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 20 Jul 2015 08:39:27 -0400
Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Mon, 20 Jul 2015 08:39:28 -0400
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 20 Jul 2015 12:39:25 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.021; Mon, 20 Jul 2015 12:39:25 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: 王文正 <wcwang@cht.com.tw>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uAgAFHIYCAAAi2AIAAESSAgAAI8gCAAXawgIAABqewgAG5fYCAAtDscA==
Date: Mon, 20 Jul 2015 12:39:25 +0000
Message-ID: <BY2PR09MB1092B79E38CED2705DB3ED9AE850@BY2PR09MB109.namprd09.prod.outlook.com>
References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw>, <BY2PR09MB109017D1684733D234E23BDAE980@BY2PR09MB109.namprd09.prod.outlook.com> <20825998BCB8D84C983674C159E25E753D6268E0@mbs6.app.corp.cht.com.tw>
In-Reply-To: <20825998BCB8D84C983674C159E25E753D6268E0@mbs6.app.corp.cht.com.tw>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cht.com.tw; dkim=none (message not signed) header.d=none;
x-originating-ip: [192.160.51.89]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:erPHaH2Fmwo95EH3zdY23SXF71HBPFCDMTfAYx3Xr4PCgbJstn89tYKCziRwUTLM3BxdoHWuA2YsEZnaWyOuv1ftvYV+hSkSEYRZCY28lfV+5N4LlKpHYW2A3CA9/9YYqha/rCaRZSUi1GcANWcb1g==; 24:lVm4VsXEr/4Q/0dLCJabxHjDkrBX5M0OyDwri9LYcSOWWdFfhrZSFBfD4b8STYMt20mnRtigEUykIdC6eCFJMySxUx+s1jf0u2bNU0J0IpE=; 20:6fvFl13l/VESsdeA0I6lEFifxLGx+3BTYx5609xEAh/Q7qlQY0unjcxfVD62indg7LzG1YBsCv2qM4oE3oMN9g==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109;
by2pr09mb109: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BY2PR09MB109E72B451ED89D7D7D25EBAE850@BY2PR09MB109.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109;
x-forefront-prvs: 0643BDA83C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(92566002)(77156002)(33656002)(93886004)(62966003)(5003600100002)(50986999)(99286002)(76176999)(86362001)(106116001)(54356999)(87936001)(122556002)(2656002)(40100003)(66066001)(102836002)(110136002)(5001920100001)(5001960100002)(77096005)(76576001)(189998001)(46102003)(2950100001)(2900100001)(5002640100001)(74316001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2015 12:39:25.5341 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/iySnu6tIqTk5dBxwsfo4k8AhZTs>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:39:33 -0000

> However, most relying parties rely on COTS such as browsers or operating
> systems to update their lists of trust anchors. After a root CA performed its
> key rollover, it will submit its new root cert to "Root Certificate Programs" of
> all mainstream browsers or operating systems. It might take server months
> or even more than half year before the new root cert is accepted by "Root
> Certificate Programs" of all mainstream browsers or operating systems.
> Before the new root cert is added to the lists of trust anchors of all
> mainstream browsers and operating systems, TLS/SSL servers would
> temporarily rely on the new-with-old certificate to assist relying parties to
> chain the certification path up to the old root cert (i.e., the old trust anchor).

In practice, commercial CAs act with enough foresight that this isn't a problem for the most part; they ensure that a new root is published (minimally by MS and Mozilla) before making it an active issuer.  It's not like you can't see key expiration coming and plan accordingly.

Private CAs have their own trust management avenues so while they have to do the same kind of planning, timelines are shorter.  

Most PKIs also create new CAs rather than deal with the complexities of rollover.  It's easier to just prune the PKI entity tree than to try to graft in a new parent node.  As each CA switches into CRL-only mode [1] you have another ready to take its place and operations continue without interruption.  

-- T

[1] If your CP and CPS is written according to best practices, a CA's actual lifetime is minimally double the maximum Subscriber key lifetime.  By doing so the CA can issue a Subscriber cert just before switching into CRL-only mode, that Subscriber gets a full life out of that cert, and the CA can be retired as soon as all Subscribers certs are either revoked (with a final CRL issued) or expired.