Questions about signing an intermediate CA
Michael Leone
turgon at mike-leone.com
Wed Feb 12 23:09:24 UTC 2020
On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik
<Michael.Wojcik at microfocus.com> wrote:
>
> > From: Michael Leone [mailto:turgon at mike-leone.com]
> > Sent: Wednesday, February 12, 2020 12:35
>
> > Even though I used what might be the wrong terms, I'm sure you knew what I meant ...
>
> Sure. But PKIX, and X.509-based PKI more generally, are - not to mince words - horrible. They're agonizingly complicated and confusing, and arguably fundamentally broken in various respects. (See for example the issues raised by the infamous "The OSI of a New Generation" presentation.)
I'm not sure how "infamous" it is, as I've never heard of it, even in
passing. :-)
> And here on the openssl-users list there are people with widely varying experience with and understanding of these matters; and the list is archived in various places, which means there's some chance someone will read these notes years from now. Many of those people don't have the time to become experts in PKI, and will want to be able to search for additional information based on what they see here.
Yeah, that would be me. :-)
> So it's useful to try to be very precise in our terminology.
You're right, of course.
>
> Often, for example, the cognoscenti will refer to a certificate's "purpose". That's an ambiguous term. In context it might refer to Basic Constraints, or Key Usage, or Extended Key Usage, or even the old Netscape Cert Type; it might refer to something inferred from other attributes (if Subject DN is the same as Issuer DN, then it's self-signed and possibly a root); or it might refer to something particular to its PKI or application, and not actually an attribute of the certificate at all. That's fine when we all understand what we're talking about. On the list, however, it's best to be explicit: "EKU should include TSL Web Server Authentication for this type of certificate" and so forth.
>
> For some readers, using "CA" and "certificate" interchangeably could be very confusing.
>
> So I'm not being pedantic just for its own sake (I can yell at the television for that). Apologies if it came across that way.
I get it. Sorry I snapped. No apologies needed on your side.
--
Mike. Leone, <mailto:turgon at mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
More information about the openssl-users
mailing list