Re: [pkix] Self-issued certificates

王文正 <wcwang@cht.com.tw> Tue, 14 July 2015 15:59 UTC

Return-Path: <wcwang@cht.com.tw>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 622E01A1B6F for <pkix@ietfa.amsl.com>; Tue, 14 Jul 2015 08:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.525
X-Spam-Level: ****
X-Spam-Status: No, score=4.525 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftloif_na7rJ for <pkix@ietfa.amsl.com>; Tue, 14 Jul 2015 08:59:19 -0700 (PDT)
Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 4648B1A1B77 for <pkix@ietf.org>; Tue, 14 Jul 2015 08:59:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436889555; x=1439481555; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ypmsnYTD0/21z4kUvsQ40fREWPf6M6uZUNsH9ANhr9A=; b=CUoY3zJ7uKHI/dz9IsD7AvfVqf1anmpG3wiUp7NRSYWLv0QWEq387nGSGj9DDJmQ BkBC1RHOPwGQBUp2yADVvGJTAv650rYiRfaPdECV9+RxE5QGj4lOA72MhBSTMAGj rxJ/9fQ/QbmftlaRZQ7flKF7OG7586Zhf5XUBw8C8uA=;
X-AuditID: 0aa00766-f798c6d000002b61-47-55a531d320ca
Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 09.14.11105.3D135A55; Tue, 14 Jul 2015 23:59:15 +0800 (CST)
Received: from HUB6.app.corp.cht.com.tw (unknown [10.172.18.164]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id BFE96C000088; Tue, 14 Jul 2015 23:59:15 +0800 (CST)
Received: from CAS5.app.corp.cht.com.tw (10.172.18.161) by HUB6.app.corp.cht.com.tw (10.172.18.164) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 14 Jul 2015 23:56:49 +0800
Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS5.app.corp.cht.com.tw ([fe80::8d2:3a3e:f009:84df%12]) with mapi id 14.02.0342.003; Tue, 14 Jul 2015 23:56:42 +0800
From: =?iso-2022-jp?B?GyRCMiZKOEA1GyhC?= <wcwang@cht.com.tw>
To: "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkc=
Date: Tue, 14 Jul 2015 15:56:42 +0000
Message-ID: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw>
References: <20825998BCB8D84C983674C159E25E753D620DDF@mbs6.app.corp.cht.com.tw> <20150713163225.588A01A1DD@ld9781.wdf.sap.corp>
In-Reply-To: <20150713163225.588A01A1DD@ld9781.wdf.sap.corp>
Accept-Language: zh-TW, en-US
Content-Language: zh-TW
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mimectl: Produced By Microsoft Exchange V14.2.247.1
x-originating-ip: [202.39.167.17]
Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D621BA2mbs6appcorpchtc_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHKsWRmVeSWpSXmKPExsXCtYA9W/ey4dJQg5dXTC16f+9gtrh4sMiB yWPJkp9MHlM+b2UMYIpqYLRJzMvLL0ksSVVISS1OtlVKzijRTcksTs5JzMxNLdJNzUtXUshM sVUyUVIoyElMTs1NzSuxVUosKEjNS1Gy41LAADZAZZl5Cql5yfkpmXnptkqewf66FhamlrqG SnYBOamJxakKSakKiSllmcWpKQoJG2QytnefZitoUq9YPv0jewPjDIUuRk4OCQETiY8NU5gh bDGJC/fWs3UxcnEICWxnlDhx6gE7hLOTUWLRs3OscJlb5zqgnEOMEnO2P2MB6WcTsJH4f3Up I4gtIqAocat9GlA7BwezgIRE302wdcICOhK37uxngijRlbj07DsbSImIgJ/Euo2WIGEWAVWJ Q5Mng03kFfCX6FyyiAViVSPQRX/esoMkOIFWnTm6BsxmFJCVeLLgGdhMZgFxiXMXW9kh3hGQ WLLnPNRrohIvH/9jhbBNJX5t+MAIslcC6My+xXIQrfkS3ybtZ4TYKyhxcuYTlgmMErOQTJ2F pGwWkjKIuL7EnomnoGxtiWULXzND2HoS93b8ZYWwLSU+vl7AjKxmASPHKkbB4uTEPEMjPWCq 0EvOz9UrKd/ECElbaTsYt893PMQowMGoxMPb8GBxqBBrYllxZS4w3DmYlUR4/SSWhgrxpiRW VqUW5ccXleakFh9iNAWG4kRmKdHkfGBKzSuJNzS2NLYwNDIwMza3sFAS553emhkiJJAOTI7Z qakFqUUwfUwcnFINjPEl39tmLF7Y5jirIfGqzAMPr9sz0hIDzWSaNh63FtWRY1d/9S7v6aRG Gd8u3iP8GiInsriCdRjXsegbXNiw299jh290jwOHibfft4kGTjofZHbVLljU5XUsOdZ5c6OB 63L5WaunX3u4ZItP9nFl9ycx+m03anfZLL4dU5X7ZN4ms0TeyztalFiKMxINtZiLihMB1r8u VHEDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/t7oro5do5MMk0vkyJumEOUSBpSo>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 15:59:23 -0000

Hi Martin,

Regarding your simile of "key rollover with self-issued certificates" as "the use of anti-personnel land mines", I appreciate your sense of humor.

However, since "key rollover with self-issued certificates" is the standard method suggested by X.509 and PKIX, your simile seems to implies both X.509 and PKIX are violating the 1997 UN convention. Do you really mean that? :)

I believe the philosophy of X.509 (or the whole X.500 series) is that a Distinguished Name (DN) represents the identity of an entity. Therefore, if the DN is changed, it means the identity of that entity has been changed. With this philosophy, the DN of each entity should not be changed unless its identity is changed. Especially, a root CA is the trust anchor, which should not change its DN between generations of CA keys, otherwise relying parties will be confused about whether they are the same root CA entity.
It is unfortunately that many COTS have not yet fully implement the certification path validation algorithm specified in X.509 or RFC 5280, therefore many root CAs choosed to change their DNs whenever they performed key rollovers. They actually bred logically new root CAs whenever they doing so. As a result, there were more and more root CAs created. Please take a look at trust lists maintained by browsers, Those lists are really messy adn it is hard to tell which one is which.

Wen-Cheng Wang

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Tuesday, July 14, 2015 12:32 AM
To: 王文正
Cc: PKIX
Subject: Re: [pkix] Self-issued certificates

A CA which attempts to perform key rollover with self-issued certificates is violating the 1997 UN convention on the prohibition on the use of anti-personel land mines.

Public CAs seem to do it properly and safely, and include a generation identifier in the subject DNames of new CA keys.

Do not be surprised if your attempts to use self-issued certificates fail with other PKI software as well.

-Martin

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.