[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Path validation and self-signed certificates

To: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Subject: Re: Path validation and self-signed certificates
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Mon, 27 Aug 2001 15:04:11 -0400
Cc: david.cooper@xxxxxxxx, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Sun Microsystems, Inc.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Peter Sylvester wrote:
> Why does PKIX need to say something that is essentially
> already in X.509? Aren't self-signed certificates of type a)
> ignored for path validation in X.509?

Most of son-of-2459 is already in X.509. The purpose of our
document is to provide a profile of X.509 suitable for the
Internet. Why mention name chaining or signature checking in
son-of-2459? Because they're part of our profile.

Even if we decide to adopt the X.509 behavior and ignore
self-signed certificates, we should still mention that in
son-of-2459. It's not reasonable to expect people to figure out
that some requirement is part of the PKIX profile just because
there's one sentence on page 31 of the X.509 spec that explains it.

I'm suggesting that we add an additional requirement to our
validation algorithm, as we have done before by requiring
that the Issuer field MUST contain a non-empty distinguished
name (for instance). This requirement would be that the path
not contain any self-signed certificates.

-Steve

References:
- Re: Path validation and self-signed certificates
  - From: Peter Sylvester

Prev by Date: Re: Path validation and self-signed certificates
Next by Date: RE: Question about ECDSA.
Previous by thread: Re: Path validation and self-signed certificates
Next by thread: RE: Path validation and self-signed certificates
Index(es):
- Date
- Thread