Re: [pkix] Self-issued certificates

"Miller, Timothy J." <tmiller@mitre.org> Mon, 13 July 2015 12:25 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F101B29FE for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 05:25:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.11
X-Spam-Level:
X-Spam-Status: No, score=-0.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHpDqzMeFA4Q for <pkix@ietfa.amsl.com>; Mon, 13 Jul 2015 05:25:14 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id CA10C1B29F9 for <pkix@ietf.org>; Mon, 13 Jul 2015 05:25:13 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5D5616C009E; Mon, 13 Jul 2015 08:25:13 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 46B716C0098; Mon, 13 Jul 2015 08:25:13 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 13 Jul 2015 08:25:12 -0400
Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Mon, 13 Jul 2015 08:25:12 -0400
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB111.namprd09.prod.outlook.com (10.242.36.19) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 12:25:11 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Mon, 13 Jul 2015 12:25:11 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: Peter Bowen <pzbowen@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53ZUDLg
Date: Mon, 13 Jul 2015 12:25:11 +0000
Message-ID: <BY2PR09MB1097FB1563CBA1C7007626CAE9C0@BY2PR09MB109.namprd09.prod.outlook.com>
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
In-Reply-To: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [192.160.51.89]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB111; 5:+fUbopar8+IqmVCXd5OiCg6PdY8q3+fwfo66w5ylyAhO7a9aVS207crUQoQwoTOh15MKfkmfdV+pgWThvgqvzHLUjGm/SOw+YwxBXYLGiTS4nVH3bQmZlWar/bjKEJE3jnHDFnm+JanhoJt9J2ndlg==; 24:HuHTXA9K7sJXJSkA7BKLt9MZqECYPAeZve0DMlZEqQH/QVeDw7SUVw6mwR3VmqqhL9WSQXM6HBErNV7xhixb4Os+/zIMZxteOzCLFJu/s0E=; 20:mZf0T/GQQoj93q9poOjh3Nl1yKRMLo9j/H05KXxVWq1UBamuXBYNkBqdiMnuSd8ooil9v1HYtwg2Duz/zHtfqA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB111;
by2pr09mb111: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BY2PR09MB11195F9C744FE184905FE3DAE9C0@BY2PR09MB111.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB111; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB111;
x-forefront-prvs: 0636271852
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(164054003)(51704005)(13464003)(2656002)(2900100001)(92566002)(5003600100002)(19580395003)(76176999)(54356999)(74316001)(2950100001)(86362001)(77096005)(66066001)(19580405001)(5001770100001)(50986999)(46102003)(99286002)(189998001)(102836002)(62966003)(33656002)(15975445007)(87936001)(106116001)(40100003)(5002640100001)(77156002)(107886002)(76576001)(5001960100002)(2501003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB111; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2015 12:25:11.1679 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB111
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/uFBzcMCXndMVRyi0hn2CuTmxBXc>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 12:25:16 -0000

In X.509 (and PKIX) the name *is* the identity.  X.509 (and PKIX) binds keys to names; the key can change but the name remains invariant.  In contrast, SPKI/SDSI binds names to keys; the key remains invariant, but the name can change.

So if it has a different DN, it's not the same entity.  As a result there's no ambiguity in the RFC.

It is possible to bind the same key to different names.  Nothing stops you from presenting the same key to multiple CAs and claiming different names.  If your goal is pseudonymity, though, I wouldn't recommend this.  :)

It's also possible to use keys from X.509 certificates as entities and ignore the name--e.g., key continuity management (a.k.a. certificate pinning)--but this is outside the spec.

-- T 

> -----Original Message-----
> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Peter Bowen
> Sent: Sunday, July 12, 2015 5:03 PM
> To: pkix@ietf.org
> Subject: [pkix] Self-issued certificates
> 
> I'm trying to make sense of the definition of "self-issued certificates" in RFC
> 5280 (and X.509)
> 
> Section 3.2 provides a definition: "Self-issued certificates are CA certificates
> in which the issuer and subject are the same entity."
> However section 6.1 says "A certificate is self-issued if the same DN appears
> in the subject and issuer fields."
> 
> While it is clear that all certificates with the same DN for subject and issue are
> self-issued, it is unclear to me whether a certificate with different DNs could
> be self-issued.  Section 6.1 could be giving one example of how a certificate
> could be self-issued or section 6.1 could be a limiting definition.
> 
> Consider the following example:
> Example Trust Services has two different private keys.  Each key has a single
> associated DN:
> Key0 has DN O=Example Trust Services, OU=Global Trust Anchor
> Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor
> 
> There is a CA certificate created with
> Subject: O=Example Trust Services, OU=Commercial Trust Anchor Subject
> Public Key: Key1
> Issuer: O=Example Trust Services, OU=Global Trust Anchor Signed by Key0
> 
> Is this CA certificate considered a self-issued certificate?
> 
> Thanks,
> Peter
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix