Jean-Marc Desperrier wrote:
Anders Rundgren wrote:
[...]. That Root is actually signed by the
same key and having the same issuer as Sub does not put it in the same
level as Sub since Root is selfsigned.
I think you should rethink about the meaning of *self*-signed.
The issuer of Root *is* Root, so Root and Sub *do* share the same
issuer, and they are at the same level.
Actually "same level" is overused here and confusing. What I mean is
they are for all applicable purpose both issued by the Root CA, and all
rules apply as such. There is *not* a virtual different CA level for the
root certificate.
Root-cert is self-signed, signed by Root-cert, and Root-Crl is also signed
> by Root-cert. Still Root-crl is *not* one level below Root-cert
> and it does validly emits the crl for Root-cert.
In fact, Root-crl can validly be seen as one level below Root-cert but
Root-cert can also be seen as one level below Root-cert, as validly as
it can be seen as one level above Root-cert. In one word, "level" when
applied to self-signed certificates does nothing but bring confusion.
The thing that counts is the issuer.
To correct the above sentence, in a pure X509 view, crl signed by
Root-crl apply to certificates signed by Root-cert because Root-crl and
Root-cert have the same DN and nothing more is required.
I wrote the above under the influence of some scenario that try to
protect CAs from almost freely influencing each other by adding on top
of this some non-normative additional restrictions (like "Root-crl and
Root-cert must have the same issuer"). When you add this restriction, it
still works because Root-crl and Root-cert do have the same issuer.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto