Jean-Marc Desperrier wrote:
>> [...]. That Root is actually signed by the
>> same key and having the same issuer as Sub does not put it in the same level
>> as Sub since Root is selfsigned.
>I think you should rethink about the meaning of *self*-signed.
I don't claim to be the world's biggest expert on path validation so please bear
with me.
>The issuer of Root *is* Root, so Root and Sub *do* share the same
>issuer, and they are at the same level.
Since Root is also the issuer of Sub, the consequence of this logic actually
gives a self-signed Root certificate *two* places in a CA hierarchy:
Root
/ \
Root Sub
This can't hardly be correct. The problem is as far as I can tell, that the
"issuer" in a self-signed root is actually non-existent from a path-building
point of view. In fact, there are no rfc3280 requirements saying that trust
anchors (roots) must be certificates at all, a public key is good enough.
If you (as I did) distribute a root as a certificate, this should not change
the validation rules, it is just a convenient way of packaging roots.
Apparently the Mozilla certificate database use the logic you describe
but other parties (MS, Java[keystore] and Adobe) do not according to
my testing. After some consideration, I concluded that this is likely to
be a bug in Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=354628
thanx
Anders
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
