Re: CRLs and self-signed root certs.
On Sat, Dec 02, 2000 at 12:05:46PM +, Ben Laurie wrote: Bodo Moeller wrote: Peter Gutmann [EMAIL PROTECTED]: Mats Nilsson [EMAIL PROTECTED]: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Noone knows (and I don't just mean that as a shoulder-shrug response, I mean that noone, at least on the PKIX list, actually knows what's supposed to happen in this situation). The behaviour from current apps is that some will accept a self-revocation, some will reject it, and a small number will crash or fail in some other way. I like the idea of having the application crash in such a situation: Obviously the application developers noticed the similarity to the Epimenides paradoxon [1] and did not see any other way out except having the program vanish in a puff of logic. Eh? Surely if a cert revokes itself then one of two things has happened: a) The legitimate owner revoked it b) Someone else got hold of the private key and revoked it in either case, you want the cert to be revoked, right? Sure. As I explained, there's nothing paradoxical about the Epimenides paradoxon either; but still it's often cited as a prototypical paradoxon. (I had hoped for someone to point out that the Greek did not have a senate ...) -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Ben Laurie [EMAIL PROTECTED] wrote: Eh? Surely if a cert revokes itself then one of two things has happened: a) The legitimate owner revoked it b) Someone else got hold of the private key and revoked it in either case, you want the cert to be revoked, right? In case b, nothing would stop the imposter to issue yet another CRL, one where the root certificate is no longer marked as revoked. It would surely fool some users. It's quite clear that an out-of-band procedure is necessary. Goetz Babin-Ebell [EMAIL PROTECTED] wrote: You can generate a new root certificate and use it to sign the new CRL which lists the old root certificate as revoked... I'm not sure one should recognize the new root ca to be a legitimate revoker of the orignal certificate. Isn't it so, that only the issuer of a certificate can revoke a certificate? (where being an "issuer" is equivalent to holding the private key) Mats __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: CRLs and self-signed root certs.
I can imagine a scenario whereby an organization might choose to sign a death notice before going out of business. For example, suppose a commercial CA decided to go out of business, there might be benefits to their signing a CRL including their root certificate. Frank -Original Message- From: Ben Laurie [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 02, 2000 7:06 AM To: [EMAIL PROTECTED] Subject: Re: CRLs and self-signed root certs. Bodo Moeller wrote: Peter Gutmann [EMAIL PROTECTED]: Mats Nilsson [EMAIL PROTECTED]: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Noone knows (and I don't just mean that as a shoulder-shrug response, I mean that noone, at least on the PKIX list, actually knows what's supposed to happen in this situation). The behaviour from current apps is that some will accept a self-revocation, some will reject it, and a small number will crash or fail in some other way. I like the idea of having the application crash in such a situation: Obviously the application developers noticed the similarity to the Epimenides paradoxon [1] and did not see any other way out except having the program vanish in a puff of logic. Eh? Surely if a cert revokes itself then one of two things has happened: a) The legitimate owner revoked it b) Someone else got hold of the private key and revoked it in either case, you want the cert to be revoked, right? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Mats Nilsson wrote: Goetz Babin-Ebell [EMAIL PROTECTED] wrote: You can generate a new root certificate and use it to sign the new CRL which lists the old root certificate as revoked... I'm not sure one should recognize the new root ca to be a legitimate revoker of the orignal certificate. Isn't it so, that only the issuer of a certificate can revoke a certificate? (where being an "issuer" is equivalent to holding the private key) No. Everybody can issue a CRL. A CA can issue a CRL with own revokated certificates but it can issue a CRL with revoked certificates of other CAs (at least in X509v3...) When you revoke your root certificate, you could issue a CRL and ask another CA to include your root certificate in their CRL. By Goetz -- Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Frank Balluffi wrote: I can imagine a scenario whereby an organization might choose to sign a death notice before going out of business. For example, suppose a commercial CA decided to go out of business, there might be benefits to their signing a CRL including their root certificate. The question is: Has the CA issued certs and are they valid at the point of the revokation of the CA cert ? Who maintains these certs ? At least in Germany a public CA that goes out of bussines has to find another CA that maintains the valid issued certificates. And this new CA has a CRL, where it can publish the revokation of the old root cert of the old CA. By Goetz -- Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Goetz Babin-Ebell [EMAIL PROTECTED] writes: Everybody can issue a CRL. Only a CA with CRL signing enabled can issue a CRL. A CA can issue a CRL with own revokated certificates but it can issue a CRL with revoked certificates of other CAs (at least in X509v3...) A CA can't revoke another CA's certificates, only certificates which it has issued. Peter. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: CRLs and self-signed root certs.
Yes. RFC 2459 (and X.509) call this an indirect CRL. See the issuing distribution point CRL extension and the certificate issuer CRL entry extension. Frank -Original Message- From: Rich Salz [mailto:[EMAIL PROTECTED]] Sent: Monday, December 04, 2000 3:27 PM To: [EMAIL PROTECTED] Subject: Re: CRLs and self-signed root certs. A CA can't revoke another CA's certificates, only certificates which it has issued. Not so clear -- the CRL contains the issuer DN and a list of serial#'s (basically), but it doesn't have to be the signed by a cert with that DN. (Yes, most clients will properly fail to verify, but the data structure most definitely allows for delegated CRL signing. In sure Entrust has some deltaCRL use that does this. :) /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Peter Gutmann wrote: Goetz Babin-Ebell [EMAIL PROTECTED] writes: Everybody can issue a CRL. Only a CA with CRL signing enabled can issue a CRL. Everybody who can generate a certificate with the propper flags can generate a CRL. But he has to find a way to let the user trust him in issuing the CRL... A CA can issue a CRL with own revokated certificates but it can issue a CRL with revoked certificates of other CAs (at least in X509v3...) A CA can't revoke another CA's certificates, only certificates which it has issued. ?? ITU-T X509 (06/97): 11.2 Management of certificates [...] (page 25:) - The CA shall maintain: [...] b) a time-stamped list of revoked certificates of all CAs known to the CA, certified by the CA. 2 possible meanings: - It maintains a CRL of certificates issued by other CAs. - It maintains a CRL of certificates issued by CAs that use certificates that this CA issued. But in the definition of a CRL I didn't find anything saying that it can only revoke own certificates... By Goetz -- Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Goetz Babin-Ebell [EMAIL PROTECTED] writes: Peter Gutmann wrote: Goetz Babin-Ebell [EMAIL PROTECTED] writes: Everybody can issue a CRL. Only a CA with CRL signing enabled can issue a CRL. Everybody who can generate a certificate with the propper flags can generate a CRL. Sure, but this presupposes: A CA can issue a CRL with own revokated certificates but it can issue a CRL with revoked certificates of other CAs (at least in X509v3...) A CA can't revoke another CA's certificates, only certificates which it has issued. [...] But in the definition of a CRL I didn't find anything saying that it can only revoke own certificates... The standard can say pretty much anything it wants on the topic, but given that most current apps barely support any kind of CRL checking I'd say the usefulness of issuing one of these cross-CRLs is slightly lower than that of opening your window and shouting "Certificate 1234 from CA xyz is now revoked" out into the wind (at least one or two people will take notice of that, if only to shout back at you to shut up :-). Look at the way Sun revoked their CA cert a while back for an example of how far CRL functionality is trusted in the real world, and then extrapolate from normal CRLs to cross-CRLs... Does anyone know of any generally-available (non-special-case, single-vendor, customised, etc etc) application which will handle one of these cross-CRLs? Peter. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Bodo Moeller wrote: Peter Gutmann [EMAIL PROTECTED]: Mats Nilsson [EMAIL PROTECTED]: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Noone knows (and I don't just mean that as a shoulder-shrug response, I mean that noone, at least on the PKIX list, actually knows what's supposed to happen in this situation). The behaviour from current apps is that some will accept a self-revocation, some will reject it, and a small number will crash or fail in some other way. I like the idea of having the application crash in such a situation: Obviously the application developers noticed the similarity to the Epimenides paradoxon [1] and did not see any other way out except having the program vanish in a puff of logic. Eh? Surely if a cert revokes itself then one of two things has happened: a) The legitimate owner revoked it b) Someone else got hold of the private key and revoked it in either case, you want the cert to be revoked, right? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Mats Nilsson [EMAIL PROTECTED] writes: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Noone knows (and I don't just mean that as a shoulder-shrug response, I mean that noone, at least on the PKIX list, actually knows what's supposed to happen in this situation). The behaviour from current apps is that some will accept a self-revocation, some will reject it, and a small number will crash or fail in some other way. Peter. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Mats Nilsson wrote: Hi list. Hallo Mats, Some philosophical questions: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Since the root certificate is at this time invalid, you can't use it to sign the CTL... You can generate a new root certificate and use it to sign the new CRL which lists the old root certificate as revoked... Every root cert needs an own serial number ! (but this is a wise decission anyway...) By Goetz -- Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Goetz Babin-Ebell wrote: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Since the root certificate is at this time invalid, you can't use it to sign the CTL... Then sign a CRL with a revocation date in future with regard to the CRL signing date. I don't beliveve anything stop a CA from announcing it will revoque a certificate _before_ it does it. I don't know if the client will like it. Technically speaking the emitter of the root cert is the root cert itself, therefore it is entitled to revoke itself. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRLs and self-signed root certs.
Peter Gutmann [EMAIL PROTECTED]: Mats Nilsson [EMAIL PROTECTED]: Should a self-signed root certificate ever need to be revoked, shall it list itself in its usual CRL(s), as the last thing it does before it is thrown away, or is it sufficient (from its users' standpoint) that it simply ceases to issue more CRLs? Noone knows (and I don't just mean that as a shoulder-shrug response, I mean that noone, at least on the PKIX list, actually knows what's supposed to happen in this situation). The behaviour from current apps is that some will accept a self-revocation, some will reject it, and a small number will crash or fail in some other way. I like the idea of having the application crash in such a situation: Obviously the application developers noticed the similarity to the Epimenides paradoxon [1] and did not see any other way out except having the program vanish in a puff of logic. Anyway, if the certificiate is truly invalid, then there is no reason why you should not be allowed to revoke it with itself. Seeing a CRL that includes the self-signed certificate of the CA that has issued that very CRL obviously shows that this certificate *must* be invalid. Note that the same CA might own another self-signed certificate containing the same public key, and this second one might still be valid -- maybe the first certificate has been revoked because some attributes have changed. (Of course out-of-band measures are needed for authenticating such a second certificate.) This case shows why it is *necessary* for the CA to be able to revoke its own self-signed certificates. (The CRL just names the issuer, it is not bound to a specific certificate of this issuer; in general, any certificate containing the proper public key will do.) [1] Epimenides is that Cretan guy who said that all Cretans are liars. Trying to decide whether this statement of his can be true (where it is assumend that liars must *never* say the truth) allegedly leads to a contradiction: If it is true, the he is a liar, so the statement must be false, so he is not a liar after all, so the statement must be true, etc. etc. There is in fact no contradiction in this -- if Epimenides is a liar but his neighbour isn't, then his statement is just plainly false. The assumption that Epimenides' statement is false does *not* imply that Epiminides cannot be a liar. Probably the Greek senate had not yet passed De Morgan's laws when this "paradoxon" was invented. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]