Re: [pkix] Self-issued certificates

"Erik Andersen" <> Tue, 14 July 2015 08:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B622E1A90B3 for <>; Tue, 14 Jul 2015 01:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.308
X-Spam-Status: No, score=0.308 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1m5XYZRlVH04 for <>; Tue, 14 Jul 2015 01:39:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B8CFE1A90AE for <>; Tue, 14 Jul 2015 01:39:31 -0700 (PDT)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 3201507141039283129 for <>; Tue, 14 Jul 2015 10:39:28 +0200
From: Erik Andersen <>
References: <> <000001d0bd3d$c7bcfa90$5736efb0$> <>
In-Reply-To: <>
Date: Tue, 14 Jul 2015 10:39:31 +0200
Message-ID: <000001d0be10$9ab9b3c0$d02d1b40$>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgJXCi9RAmhoqtqgFfpeMA==
Content-Language: en-gb
Archived-At: <>
Subject: Re: [pkix] Self-issued certificates
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2015 08:39:33 -0000

Hi Peter,

I understand the confusion.

I do not claim that X.509 is consistent. Sometime X.509 is more clear and sometime RFC 5280 is more clear. I often go to RFC 5280 to get some clarification.

It appears to me that there is no consistent, detailed model for PKI. People supplement the current model with their own interpretation based on legacy. That people have somewhat different models in mind is clear from many PKIX discussions.



-----Oprindelig meddelelse-----
Fra: Peter Bowen [] 
Sendt: 13 July 2015 20:20
Til: Erik Andersen
Cc: <>
Emne: Re: [pkix] Self-issued certificates

On Mon, Jul 13, 2015 at 12:30 AM, Erik Andersen <> wrote:
> It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509 
> definition is:
> 3.5.62  self-issued certificate: A CA certificate where the issuer and 
> the subject are the same CA. A CA might use self-issued certificates, 
> for example, during a key rollover operation to provide trust from the 
> old key to the new key.
> The problem you are facing is that the term entity is not clearly defined.
> Is a CA an entity or is CA is specific role for an entity among other 
> roles for the same entity?
> The RFC 5280 definition seems to assume that a CA is an entity, and 
> the two CA you mention are different entities, while X.509 does not 
> necessarily make that assumption.

OK.  Now I'm even more confused.

X.509 says an authority is an entity, responsible for the issuance of certificates and says a certificate authority is a type of authority.

How is RFC 5280 any more or less clear than X.509?  Is X.509's take the certificate I described different from that attributed to 5280?