<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class="">This code is currently being used by Akamai to check for the validity of certificates.</div></div><div class=""><br class=""></div>I find it highly unusual for multiple certificates to have the same SubjectDN to be valid simultaneously.<div class="">All those certificates would need to have a unique serial number; but the Issuer’s serial number is is not included in the certificate, so there’s no easy way to determine the issuing certificate.</div><div class=""><br class=""></div><div class="">To validate those chains, the signature would have to be validated using the public key of each certificate that matches the Issuer. That can be an expensive proposition, and there are clients that will give up after the first failure.<div class=""><div class=""><br class=""></div><div class="">Have you seen any chains like this IRL?</div><div class=""><br class=""></div><div class="">Do you know of any CA that have their chains set up like this?</div><div class=""><br class=""><div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">--</div><div class="">-Todd Short</div><div class="">// <a href="mailto:tshort@akamai.com" class="">tshort@akamai.com</a></div><div class="">// “One if by land, two if by sea, three if by the Internet."</div></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Feb 27, 2015, at 5:31 PM, Brian Smith <<a href="mailto:brian@briansmith.org" class="">brian@briansmith.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">Short, Todd via RT <<a href="mailto:rt@openssl.org" class="">rt@openssl.org</a>> wrote:<br class=""><blockquote type="cite" class="">Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer.<br class="">Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that.<br class=""><br class="">Github link:<br class=""><a href="https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b" class="">https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b</a><br class=""></blockquote><br class="">Could you explain this more?<br class=""><br class="">In your patch, there is a comment that says "Input certificate<br class="">(subject) is self signed." But, the test is that the issuer name<br class="">equals the subject name. That means the certificate is self-*issued*,<br class="">not self-*signed*.<br class=""><br class="">Consider this chain:<br class=""><br class="">{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 }<br class="">{ Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 }<br class="">{ Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor }<br class=""><br class="">All three certificates are self-issued. The issuer of the first<br class="">certificate is not self-signed but it is self-issued. But, it being<br class="">self-issued doesn't matter because it isn't a trust anchor.<br class=""><br class="">Consider this chain:<br class=""><br class="">{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 }<br class="">{ Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 }<br class="">{ Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor }<br class=""><br class="">The first certificate is self-signed and self-issued. It's issuer is<br class="">not self-signed or self-issued, so your patch would reject this chain.<br class="">But, this is a valid chain.<br class=""><br class="">Cheers,<br class="">Brian<br class="">_______________________________________________<br class="">openssl-dev mailing list<br class="">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" class="">https://mta.openssl.org/mailman/listinfo/openssl-dev</a><br class=""></div></blockquote></div><br class=""></div></div></div></body></html>