[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: When to set CA = True ?

To: pkix <ietf-pkix@xxxxxxx>
Subject: Re: When to set CA = True ?
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Thu, 17 Apr 2008 01:30:53 +0200
In-reply-to: <480341E8.2090108@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47FF2C4D.40500@xxxxxxx> <47FF4DBE.1060103@xxxxxxxxxx> <480341E8.2090108@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041102 SeaMonkey/2.0a1pre


Jean-Marc Desperrier wrote:

Peter Sylvester wrote:
RFC 3280 says:

  This extension MAY appear as a critical
  or non-critical extension in CA certificates that contain public keys
  used exclusively for purposes other than validating digital
  signatures on certificates.    Such CA certificates include ones that
  contain public keys used exclusively for validating digital
  signatures on CRLs and ones that contain key management public keys
  used with certificate enrollment protocols.
This does not exclude OCSP, SCVP, DVCS responders, TSAs, LTAP servers
XKMS services or whatever else you might associate to a CA.
Yes, it doesn't. On the other hand, it just say it can occur insidethem, it doesn't say which value should be used.
  The basic constraints extension identifies whether the subject of the
  certificate is a CA ...
  The cA boolean indicates whether the certified public key belongs to
  a CA.
I don't think that this really matters.
I'm now certain it matters even more that I thought, and also that myinterpretation was too open.
I've just checked what exactly X.509/200508 says about it.
http://www.itu.int/rec/T-REC-X.509-200508-I/en
Well it's a similar text, but the differences make it a lot clearerabout what the intent is :
8.4.2.1 Basic constraints extension
This field indicates if the subject may act as a CA, with thecertified public key being used to verify certificate
signatures. [...]
The cA component indicates if the certified public key may be used toverify certificate signatures.
So here we are, one should only set cA=true on keys that are intendedto sign other certificates.

I had a talk about this with Peter on monday.

He has noticed an additional point; the path validation algorithm inX509/200508 does not require to check the key usage extension.

All certs that have CA=true are valid to sign other certificates.

We threfore have a very clear contradiction between x509 and thefollowing in RFC3280

  This extension MAY appear as a critical
  or non-critical extension in CA certificates that contain public keys
  used exclusively for purposes other than validating digital
  signatures on certificates.

About x509, Peter thinks, and I agree with him, that it would be best toissue a Technical Corrigendum to align it with RFC3280 and require thechecking of KeyUsage in path validation.But still, that leaves potentially many implementations that use thecurrent path validation and will consider any cA=true cert as valid toissue other cert.

My point of view on this subject (I know Peter strongly disagrees) isthat setting ca=True on CA certificates that contain public keys notintended to validate other certs is not terribly useful.

AFAIK existing usage is not to set it to true.
Verisign does not set it to true on it's OCSP responders.
The Microsoft CAdoes not set it to true on key recovery certificates.

I've never seen until any vendor setting it to true on their non-certsigning, non-crl signing certs.

I'd strongly be in favor of simply removing that text, and recommendinstead to set cA to be set to TRUE only for public keys that can signother certs.I don't see the gain of allowing it to be set for other key pairs thatjustifies the potential risk it gives for any existing application thatwould do path validation according to x509 instead of according to RFC3280.

Also, about my point that the current text should understood as meaningthat only certs that have the same DN as the CA can have cA set to true,I was beginning to think that maybe it was far fetched and I wasoverinterpreting the meaning of 'subject', but there's another part ofthe text that leads to the same conclusion :


4.1.2.6  Subject

   [...] If
   the subject is a CA (e.g., the basic constraints extension, as
   discussed in 4.2.1.10, is present and the value of cA is TRUE), then
   the subject field MUST be populated with a non-empty distinguished
   name matching the contents of the issuer field (section 4.1.2.4) in
   all certificates issued by the subject CA. [...]

So if the cert has cA set to TRUE, the subject is a CA. And if thesubject is a CA, the subject field MUST be populated with the DN the CAuses when signing certificates.

Follow-Ups:
- Re: When to set CA = True ?
  - From: Peter Sylvester
- Re: When to set CA = True ?
  - From: Peter Sylvester

References:
- When to set CA = True ?
  - From: Jean-Marc Desperrier
- Re: When to set CA = True ?
  - From: Peter Sylvester
- Re: When to set CA = True ?
  - From: Jean-Marc Desperrier

Prev by Date: Re: 3280 Bis and Trust Anchors
Next by Date: Are you swinging for the home run
Previous by thread: Re: When to set CA = True ?
Next by thread: Re: When to set CA = True ?
Index(es):
- Date
- Thread