[security-dev 00879]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate

Xuelei Fan Xuelei.Fan at Sun.COM
Wed Jun 3 08:47:12 UTC 2009 


Weijun Wang wrote:
> Maybe you can be even more strict: If the trust anchor (cert[0]) is
> already v3, cert[1] must also be v3. Is this reasonable?
>
>   
Currently, the checker know nothing about the trust anchor. If we 
support above checking, we need to update the checker and let it know 
the trust anchor's certificate, it is a little bit complex. Trust anchor 
is not in the certification path, cert[0] is the cert directly issued by 
the trust anchor. So, maybe, it is reasonable, I don't think it worthy 
of too many changes.

Thanks,
Andrew

> Max
>
> Xuelei Fan wrote:
>   
>> Weijun Wang wrote:
>>     
>>> Xuelei Fan wrote:
>>>  
>>>       
>>>> Weijun Wang wrote:
>>>>    
>>>>         
>>>>> +    // We choose to reject all version 1 and version 2 intermediate
>>>>> +    // certificates except that it is self issued by the trust
>>>>> +    // anchor in order to support key rollover or changes in
>>>>> +    // certificate policies.
>>>>> +    int pathLenConstraint = -1;
>>>>> +    if (currCert.getVersion() < 3) {    // version 1 or version 2
>>>>> +        if (i == 1) {           // issued by a trust anchor
>>>>>
>>>>> So, self-issued cert can be only issued by trust anchor, but not an
>>>>> intermediate CA?
>>>>>         
>>>>>           
>>>> No, self-issued cert can be issued by any entity, but I choose to reject
>>>> those self-issued version 1 and version 2 certificates here, because I
>>>> have no way to understand whether it is a CA or not.
>>>>     
>>>>         
>>> One question: what's the version of the trust anchor in the failed test?
>>> Is it v1?
>>>
>>>   
>>>       
>> It is V1, and issue a self-issued V1 certificate for renew the private
>> key, so there is a intermediate V1 CA cert.
>>     
>>> If so, I think the reason the test fails is because it's written in the
>>> v1 age. So my suggestion is that if the trust anchor is v1, then we
>>> wouldn't expect the other certs to obey any new rules. Otherwise, if the
>>> trust anchor is already v3, the validation should be conformed to the
>>> latest RFC.
>>>   
>>>       
>> RFC5280 allows V1/V2 certificates, and specified how to handle version 1
>> and version 2 intermediate CA cert. We can just reject them simply as
>> the spec required. I just think we need to support the special case: key
>> rollover.
>>     
>>> In practical cases, is there a CA whose self-signed cert is v3, but it
>>> issues a self-issued cert of v1?
>>>
>>>   
>>>       
>> Many, many Verisign root certs are V1, and the intermediate cert are V3.
>>
>> Thanks,
>> Andrew
>>     
>>> Thanks
>>> Max
>>>
>>>   
>>>

More information about the security-dev mailing list