On Thu, Nov 05, 2015 at 08:15:31PM -0500, Russ Housley wrote:
> It might be useful to remind people about the difference between self-signed
> certificates and self-issued certificates. RFC 5280 says:
>
> Self-signed certificates are self-issued certificates where the digital
> signature may be verified by the public key bound into the
> certificate. Self-signed certificates are used to convey a public
> key for use to begin certification paths.
> Self-issued certificates are CA certificates in which
> the issuer and subject are the same entity.
>
> Self-issued certificates can appear in the middle of a path when a CA is
> doing key rollover and is doing old-signed-by-new and new-signed-by-old.
> The rollover approach is described in RFC 2510; look for "key update".
Thanks, I tried to use the right term in this discussion, and by
luck or otherwise seem to have gotten it right.
> Self-signed certificates are one very popular way to distribute the public
> key and distinguished name for a trust anchor. The certification path
> validation procedures in Section 6 of RFC 5280 do not validate the signature
> on such a sel-signed certificate. It says:
>
> When the trust anchor is provided in the form of a self-signed
> certificate, this self-signed certificate is not included as part of
> the prospective certification path.
Which is I think consistent with a recommendation to not check the
self-signatures of trust anchors.
In OpenSSL the definition of self-issued is as you explained, while
self-signed requires all of the below.
* Self-issued as a pre-requisite.
* If an authority key id is present, it must match.
* If keyUsage is present, it must permit certificate signing[0]
So for a CA, a self-issued certificate can avoid being self-signed
by having an authority key identifier that through its key id, or
serial number identifies some other certificate as the issuer.
--
Viktor.
[0] The check of the keyUsage is a recent addition.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
