Re: [pkix] Self-issued certificates

Brian Smith <brian@briansmith.org> Mon, 13 July 2015 01:57 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC7F1ACD4B for <pkix@ietfa.amsl.com>; Sun, 12 Jul 2015 18:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.522
X-Spam-Level: **
X-Spam-Status: No, score=2.522 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJdp6gx2PlHz for <pkix@ietfa.amsl.com>; Sun, 12 Jul 2015 18:57:12 -0700 (PDT)
Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91FF81ACCF8 for <pkix@ietf.org>; Sun, 12 Jul 2015 18:57:12 -0700 (PDT)
Received: by oihq81 with SMTP id q81so30926954oih.2 for <pkix@ietf.org>; Sun, 12 Jul 2015 18:57:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jlj17CwnBwkjVDShSxjf2bSimlgMcKt7QVnIRawfnhc=; b=K01e/dhOdJy5f3CJb1vwslqZGcLdLBMoLIVDutp4PtBxgDq8tCOv3Fpw04mVO+YGKL tqybbGmz7xon0Al24GULsrBiRMefwS4L15U75QtlPkUS/bmxNbEGR/VR2LR5YtE+FCtg /cXyYb1TaEpZLDXUkkKVFIIYH5Z6VmJVODixtUlMEAREO5AFuIbGQFRWZNdJrKQzWZUf 5YUEojSOYLtJn8nVhZwqmh2OfEsU2TSc3UUh3IU1CkdjcyZ8LfRw3MhxIkRbcUNnXoAJ LuvlaxqxZ6sp7O5/MEV7k+xFisbC9duXp6ET54WupL5B1elMsOOvxMqkm/LyFTRDJl8j JzCw==
X-Gm-Message-State: ALoCoQk77m6KrS5wG/97AWKImedUohfXN6Sd0kerCR9abBtV0syAjh6R0cinj5NNyNdtJUu/+siR
MIME-Version: 1.0
X-Received: by 10.202.86.215 with SMTP id k206mr26768197oib.13.1436752631846; Sun, 12 Jul 2015 18:57:11 -0700 (PDT)
Received: by 10.76.90.97 with HTTP; Sun, 12 Jul 2015 18:57:11 -0700 (PDT)
In-Reply-To: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
References: <CAK6vND-muOnNMo62LKMYJcvLUsQjbau-fuWuhnAj4aLQ2ENH-g@mail.gmail.com>
Date: Sun, 12 Jul 2015 21:57:11 -0400
Message-ID: <CAFewVt5mxdMbnZPOe=OQoLaeX_FdBZUSp-BmqHSpHHBPDyNKNQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: multipart/alternative; boundary=001a113d7ba6406f58051ab80a55
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/yQvAb6c_UVGkrJ9HO27871UhGGo>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 01:57:14 -0000

Peter Bowen <pzbowen@gmail.com> wrote:

> Consider the following example:
> Example Trust Services has two different private keys.  Each key has a
> single associated DN:
> Key0 has DN O=Example Trust Services, OU=Global Trust Anchor
> Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor
>
> There is a CA certificate created with
> Subject: O=Example Trust Services, OU=Commercial Trust Anchor
> Subject Public Key: Key1
> Issuer: O=Example Trust Services, OU=Global Trust Anchor
> Signed by Key0
>
> Is this CA certificate considered a self-issued certificate?
>

No, because the issuer and subject fields are not equal.

For further justification,, it helps to look at what "self-issued" is used
for in RFC 5280: exceptions for the normal path length constraints, policy
constraints, name constraints rules, and (IIRC) nothing else. There's
nothing to indicate that such exceptions would warranted for that
certificate.

In fact, mozilla::pkix doesn't recognize self-issued certificates at all,
and so doesn't implement those exceptions. So far, this has not caused any
problems, so as far as the Web PKI is concerned, it is likely we can forget
about the concept of self-issued certificate completely. And, that's what I
recommend that people do.

Cheers,
Brian