Peter Saint-Andre wrote on 4/9/2010 9:29 AM: > Regarding self-signed certs, Alexey and I had the following exchange... > > On 4/5/10 3:34 PM, Alexey Melnikov wrote: >> Peter Saint-Andre wrote: >> >>> Given that a self-signed certificate can say *anything*, I don't know >>> that it's helpful to enforce any rules about issuance and checking of >>> self-signed certs. It's not as if any "certification" has taken place in >>> this situation. >>> >> +1. > > Someone named "ArkanaoiD" (how's that for identity? :) wrote: > > Well, when it comes to implementation we get *two* matching > algorithms then, which is definitely no good. > > IMHO we don't necessarily get two matching algorithms -- it's just that > the matching algorithm for self-signed certificates is not specified in > this document. Given that we are trying to define best practices for > secure authentication of application services, I don't think it makes a > lot of sense to discuss self-signed certs. > > Bruno Harbulot wrote: > > I'm not sure this I-D should treat self-signed certs completely > differently from CA-issued certs. Self-signed certs could be > considered as a special case of CA-issued certs. > > And Bil Corry wrote: > > I agree. Isn't the distinction between CA-issued certs and > self-signed certs more-or-less which CAs you choose to trust? > > Bruno and Bil, would you find it acceptable if this document simply does > not mention self-signed certificates? We really are trying to limit the > scope of this document to a very particular problem, but I'm quite open > to discussing related problems in other documents. However, if it is > going to be more confusing to say that self-signed certs are out of > scope then I'd consider including some text about them.
How about the scenario where a company acts as its own CA for internal systems; i.e. their root cert is installed across their entire enterprise and is effectively a CA for those browsers. Is that in or out of scope for this document? - Bil _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
