Re: [pkix] Self-issued certificates

"Miller, Timothy J." <tmiller@mitre.org> Wed, 15 July 2015 18:42 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A0801ACEA9 for <pkix@ietfa.amsl.com>; Wed, 15 Jul 2015 11:42:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YArHZnQh2QDG for <pkix@ietfa.amsl.com>; Wed, 15 Jul 2015 11:42:15 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 308CF1AD0AC for <pkix@ietf.org>; Wed, 15 Jul 2015 11:41:44 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 825E57BC0BF; Wed, 15 Jul 2015 14:41:43 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 74ECC7BC0AF; Wed, 15 Jul 2015 14:41:43 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 15 Jul 2015 14:41:43 -0400
Received: from na01-bn1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Wed, 15 Jul 2015 14:41:43 -0400
Received: from BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) by BY2PR09MB0160.namprd09.prod.outlook.com (10.255.243.146) with Microsoft SMTP Server (TLS) id 15.1.213.14; Wed, 15 Jul 2015 18:41:42 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) with Microsoft SMTP Server (TLS) id 15.1.213.14; Wed, 15 Jul 2015 18:41:29 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Wed, 15 Jul 2015 18:41:29 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: =?utf-8?B?546L5paH5q2j?= <wcwang@cht.com.tw>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uA
Date: Wed, 15 Jul 2015 18:41:29 +0000
Message-ID: <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org>
References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw>
In-Reply-To: <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cht.com.tw; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [128.29.115.169]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB110; 5:aQSJ3R7Mmulv8cStciZ2u5EHf+opmRJSipjWRpDQxfv0YoHqXtz6QQ7lC+I1B2p2UATxA2sAtCxQaXBQ/PKF0imGCeLq3LWlI623/HkUc5+V+6ZbZXfFpw3rYnmM4a7fT1RTxOUoDOXbTbOEbZ0nhQ==; 24:jvFhA5e5h14BRjUtPAv49UVEO6zargFdnveDs5uW6s3OsDXzQ6Kymc3RY+JPBMShbYOkPwiVO4M70QWVnmY1u7e1F9irZd4btqSiR6cHaLE=; 20:dll8ITRGlO5g+1Z/lN53DLLQV7iLxdvDsr3zNtcTF9kkoPN+zy65w5uhQ2Klik3LBYY0FrOBCNnrPGokQsWQ+Q==
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB0160;
by2pr09mb110: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BY2PR09MB1104B9D6016222CDF116E05AE9A0@BY2PR09MB110.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB110; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110;
x-forefront-prvs: 0638FD5066
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(82746002)(36756003)(122556002)(99286002)(87936001)(77156002)(62966003)(40100003)(66066001)(92566002)(83716003)(46102003)(110136002)(50986999)(86362001)(5001960100002)(54356999)(76176999)(2900100001)(2950100001)(5002640100001)(189998001)(77096005)(33656002)(106116001)(2656002)(102836002)(7059030)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB110; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <CA0AB34EA6D34F4FB6EFA2AA26A7E197@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2015 18:41:29.0194 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB110
X-Microsoft-Exchange-Diagnostics: 1; BY2PR09MB0160; 2:dCvWpct1N9N4eKBO4bpWAAmc7ZVzfXiFphnuxOWR0usNq0ivWfaeOWjWPvhsqd+m; 3:Fg9H99QWpF/q471dBFHM7YL4hjiIVp4qyMAYirWgZeh0RB7jDYo/xucyvFD/runm3Xqfpcd7CAV8lz24Bhx+Pbn6wsbDx3qlLB7F4++aUeElwFTk4K7WN2N2hlNgbH6VTs6Ppkosp+jTQxNfAVRQQw==; 25:SAu8uW6H/vOGSNnRrhJKvc4f+PGW4rSMHVQ1ma1x3BZADGLYbIomAUxSLp7eFxmFjk784J5+3oMzko1G5j08A71IDsdOEuXA1wSNunrLodLMjubrASzZUFm9TIa3srIW/5dcDcs3WWqMCDmskWliINNda08TlyrhMMdZEn0sxS+qqCY/MjBN/PX6JqhnwvwciySf99vAUGE1Zk3/UoH978ucQtHjYDV8kV/dttg7tbgu0WdWn17r5P3a3vG4IDX5NBsU8/ZWnY4xMN/j4I3YkA==; 20:ad/phGVj9pXXz5j2+VfGP7Vq78QkAofYekNubePs/j4JjRdAJruqBf6+DDGI85dhPFgIPPprfOxoQHybplnkPQ==; 23:hWCx3PN/y6CT9cpmV5m2aRt3PH7MwvgyEg2y+ufOEIo2PkS4JWm+jwrSTOM+Nv8rIVGVxyGp4UtigDbvx7RogznGmeEjRYlYnppa52iDk1xp06ojtdFtMNOraqE5+wCieXBulNDk7oEYq63qvovjpkMHaX/qdB4m7Wzd/bzoaUidC2kfA0snNeVzymEWp7b4Y9EySPASM71rbnhNBcXFf9QUpPVu+7EGHdHks68IjGSY9yKT0YGuI6MFS5lpuSIk
BY2PR09MB0160: X-MS-Exchange-Organization-RulesExecuted
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/xD0jCw4aHhiX-LAX5DZ7o6igtHo>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 18:42:21 -0000

> Isn't it dangerous to trust two entities as the same one simply because they have similar DN? How do you know these two CA is the same one?

I suppose it bears mentioning that you should never accept a trust anchor without some kind of verification.  An RFC 4210 rollover announcement is fine and dandy if and only if you already trusted the old anchor.  If you don’t, then you need to go out-of-band, and part of that is verifying that the entity named is the entity you expect.

— T