Re: [pkix] Self-issued certificates

["Erik Andersen" <era@x500.eu>]

Hi Peter,

I understand the confusion.

I do not claim that X.509 is consistent. Sometime X.509 is more clear and sometime RFC 5280 is more clear. I often go to RFC 5280 to get some clarification.

It appears to me that there is no consistent, detailed model for PKI. People supplement the current model with their own interpretation based on legacy. That people have somewhat different models in mind is clear from many PKIX discussions.

Regards,

Erik

-----Oprindelig meddelelse-----
Fra: Peter Bowen [mailto:pzbowen@gmail.com] 
Sendt: 13 July 2015 20:20
Til: Erik Andersen
Cc: <pkix@ietf.org>
Emne: Re: [pkix] Self-issued certificates

On Mon, Jul 13, 2015 at 12:30 AM, Erik Andersen <era@x500.eu> wrote:
> It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509 
> definition is:
>
> 3.5.62  self-issued certificate: A CA certificate where the issuer and 
> the subject are the same CA. A CA might use self-issued certificates, 
> for example, during a key rollover operation to provide trust from the 
> old key to the new key.
>
> The problem you are facing is that the term entity is not clearly defined.
> Is a CA an entity or is CA is specific role for an entity among other 
> roles for the same entity?
>
> The RFC 5280 definition seems to assume that a CA is an entity, and 
> the two CA you mention are different entities, while X.509 does not 
> necessarily make that assumption.

OK.  Now I'm even more confused.

X.509 says an authority is an entity, responsible for the issuance of certificates and says a certificate authority is a type of authority.

How is RFC 5280 any more or less clear than X.509?  Is X.509's take the certificate I described different from that attributed to 5280?

Thanks,
Peter