IETF Logo Mail Archive

Re: [pkix] Self-issued certificates

Jeffrey Walton <noloader@gmail.com> Fri, 17 July 2015 05:58 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE3F21B2CF8 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 22:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.199
X-Spam-Level:
X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTlAPAB9RAp8 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 22:58:18 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB1C21B2CF1 for <pkix@ietf.org>; Thu, 16 Jul 2015 22:58:17 -0700 (PDT)
Received: by iggf3 with SMTP id f3so30157988igg.1 for <pkix@ietf.org>; Thu, 16 Jul 2015 22:58:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=NlMuTRfNLVrKw79JzbL4Y+dRW8jcTDIYVeqBNJP1YFE=; b=AH6X4Tvg22CHvVNP8xH2MA63TA5QAyyAfAuLFCUOVA/qxRR7LQXlYLHX8sKbL8XBn3 /kDVfgw68S9KZMjUD4Cus6THLIoqS4uKmojM9qT+ADrF9A3X6OfqDwLOlJvpG+vWiPIJ ZHLNgHDttizARV7FEF6Nq0lcVLPbLuhsH9ykzVgnJIiJmC8hIuOtYZjrAoRIytVU5NP0 1g8dTWSmyqif4fdR1/i8i1TBcVSXGCzAOfRgQQ+A22ApDH/EGE7bRgX6V3L1/hq58z9v nFHVEHAvSzbRVf6PRckRXBEe4wwKdumCs9HkjhDCGvgtbrdiU2k/1zRtVtAsblnS/C5F mIrw==
MIME-Version: 1.0
X-Received: by 10.107.131.70 with SMTP id f67mr15743235iod.47.1437112697457; Thu, 16 Jul 2015 22:58:17 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Thu, 16 Jul 2015 22:58:17 -0700 (PDT)
In-Reply-To: <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw>
References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw>
Date: Fri, 17 Jul 2015 01:58:17 -0400
Message-ID: <CAH8yC8k_uUwxbptb5pEmhJM+PTY+_48J+XFnqgekn0v=G0nv+w@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: 王文正 <wcwang@cht.com.tw>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/xzd1Lu_AmcWMVprjDzk-p80SUEw>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 05:58:19 -0000

>> For root CA certs, the distinguished name regularly does not describe
>> the true entity that operates the CA anyway, because many of them change
>> ownership once or more often while they're in use.
>>
>>  e.g.  RSA->VeriSign->Symantec
>
> No mater who operates the CA, the CA is itself an entity and has its
> identity in the PKI world. People trust the VeriSign CA not because it is
> operated by Symantec Corp. or VeriSign Inc., it is because the CA fullfil
> some international security criteria and has been audited.

It may be worth noting: if you read the CPS and believe the company's
lawyers, then you probably would not trust most CAs.

Its strange the company's lawyers tell us the warez are not fit for
use, but we choose to trust them anyway....

Jeff

v2.23.0 | Report a Bug | By Email