Hi Ted,

using a self signed certificate doesn't mean your connection is less secure.
It is only people are going to use your web pages because they get a warning
that the certificate is not certified b a CA. But with openssl you can use
the same routine to generate your certificate like a CA.

Regards

Richard

-----Ursprüngliche Nachricht-----
Von: owner-openssl-users-MCmKBN63+***@public.gmane.org
[mailto:owner-openssl-users-MCmKBN63+***@public.gmane.org] Im Auftrag von Bernhard Froehlich
Gesendet: Mittwoch, 19. Januar 2005 09:23
An: openssl-users-MCmKBN63+***@public.gmane.org
Betreff: Re: Does a root CA need two certificates?
I think it may be possible to use a self-signed (or root) certificate
for a web server but it does not make much sense.
If you want to build up a CA (for Inhouse use in a company for example)
you should use the CA's key ONLY to sign certificates.
If you just want to play around with SSL it's better to simulate the
usual approach, especially since this only costs you the call of another
script.
Using a self-signed CA in an Internet-environment is almost senseless
since this leaves you open to man-in-the-middle attacks. And most people
who can listen to the wire can also redirect requests.

Hope it helps,
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Hi Richard,

How else do you authenticate the "originator of the certificate"

I dont know if you really want to read it up but I found the concept in:
http://theory.lcs.mit.edu/~cis/pubs/rivest/rsapaper.ps

an explaination to the same.
It tells you why an assymetric keypair like RSA is used/needed to sign the
certificates.
One of the keys is probably what the browser has and the other is the key
used to sign the webserver's digital cert generated from the csr.


-hth
Alok


----- Original Message -----
From: "R. Markham" <markham.r-***@public.gmane.org>
To: <openssl-users-MCmKBN63+***@public.gmane.org>
Sent: Wednesday, January 19, 2005 3:28 AM
Subject: AW: Does a root CA need two certificates?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

I made the same mistake as this. Assuming that an authenticated client
is authorised. This gave me a headache since I couldn't work out why
it's secure since anyone could obtain a signed client certificate from
a root CA and if that root CA is in the list of CA's on my webserver
they can get access. However now I understand it. The root CA doesn't
grant a certificate saying "this person is allowed access to your
website" but "this person is WHO THEY SAY THEY ARE". This means it's
still up to you to decide what they should be allowed to access (their
authorization). You've just used a different way of identifying them..
a certificate instead of a username & password.

SSLCheckClientDN and SSLFakeBasicAuth allow for authenticated access in
Apache NOT SSLVerifyClient. SSLVerifyClient just makes sure they have a
valid client certificate.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

The trick is not that everyone can download it, the trick is that
(hopefully) no evil one can modify it. So Bill Gates certifies (by
including the CA-certs on his distribution CDs or digitaly signing the
new Certs for distribution via Windows Update) that those CA-certs are
good CA-certs (I personally disagree sometimes, but that's another story).
If you download a CA-bundle from somewhere else you should make sure
that the source ist trustworthy and noone has modified it, typically by
checking a digital signature or using a secure download.
Of course there are several possibilities to get your fingers in between
in this procedure, but if you just give me a certificate and say "this
is mine" I have no assurance that I'm receiving what you sent.
You are completely right. There are lots of cases where you can use a
self signed CA even more secure that those "official" ones. But internet
applications (in the sense of "my clients have nothing else to do with
me") usually are not among them.
It alway depends on having a "secure" (or "a bit more secure than
unauthenticated internet") channel to distribute the CA-certificates.
And of course the trust in the CAs themselves.
BTW, there is no offense intended by my side, I'm just trying to clarify
this. ;)
Ted

(BFrom a newb who has way too much theory and too little practical --
Well, the way I understand it is, verisign, the company (for example),
has not come out and said, "NO! Don't trust our certificates!!!", and
neither have a lot of other people. So we can assume their certificates
our theirs, even though we can't assume they are who they publically
claim to be.

The trust on the second question is an induced trust in our heads. Since
nobody is standing up to claim that the management of any of these
companies are fraudulent in the claims they make as to who they say they
are, the induced trust takes more effect. But that sort of trust is
outside of PKI.
Well, yeah, if your head of engineering stands up in the morning meeting
and claims he signed the company's internal root CA certificate himself,
that is actually better than if he sent it off to one of the commercial
(or open) CAs, because the external chain of trust is more direct.

Also, that group in Australia that's doing peer-to-peer certification
has an approach that I think is theoretically valid in a different way
and in a different context, because it's a chain of face-to-face trust.
I haven't got a certificate from them yet, but I want to see how well
they implement things.

First I have to make sure I really understand what's going on with
openssl and the more hierarchical approach.

--
Joel Rees <rees-fctGxyACD9F3+***@public.gmane.org>
digitcom, inc. $B3t<02q<R%G%8%3%`(B
Kobe, Japan +81-78-672-8800
** <http://www.ddcom.co.jp> **

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

In message <20050119114725.GB17730-987bfp+7ej6qI+E0KzgamFpr/1R2p/***@public.gmane.org> on Wed, 19 Jan 2005 11:47:25 +0000, Shaun Lipscombe <shaun.lipscombe-8Ra8l+***@public.gmane.org> said:

shaun.lipscombe> At least with SSL you have a single entity at the top,
shaun.lipscombe> in OpenPGP etc you have a "web of trust" and "key
shaun.lipscombe> signing parties" and lots of other stuff which really
shaun.lipscombe> makes key validity a touch n go subject and people
shaun.lipscombe> being who they say they are gets a bit of an iffy
shaun.lipscombe> subject.

OK, time to call bullshit whan I see it :-)

OpenPGP has a different trust model than X.509/PKIX, it's entirely
true. Making that something inherently bad is what I call BS.

The trust model for OpenPGP is direct, personal validation of
identity. I won't sign another person's PGP key unless I either know
this person personally, or can validate his/her identity through some
kind of identity paper, for example a passport together with a
business card where his/her email address is clearly shown together
with the same name as on the passport. The validation chain is a
chain of such checkups, basically, coupled with trust settings (they
can be viewed as policy settings are viewed in the X.509/PKIX world).

The trust model for X.509/PKIX is to trust a higher authority, but can
also be set up as a personal web of trust if you set up your own CA
and use policy extensions properly.

shaun.lipscombe> Just search any keyserver for "Superman" and I'm sure
shaun.lipscombe> you'll find someone that claims to be Superman for
shaun.lipscombe> example.

Claims it in what way? You mean as part of the real name or as part
of the email address? Either way, what stops anyone claiming the same
in the X.509/PKIX world? That's not the point either way, the point
is if you trust the claim, or if you trust someone who would trust
that claim. That kind of trust can be handled, both in the OpenPGP
world and the X.509/PKIX one.

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte richard-***@public.gmane.org
http://richard.levitte.org/

"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Ahh, now I think we get nearer to the mark. ;)
Yes, the root CA has to distribute its self signed certificate (NOT its
private key, just the cert. There seem to be misunderstandings about
that elsewhere) to those who have to trust it. For example if your
employees have to make sure they are on a company website you have to
give them a disk (this is the secure channel here) containing the CA's
certificate and they have to import it into their browsers.

N.B.: Just make sure that your CA certificate is not used to sign fake
certificates, since if your employees trust your CA this also implies
(at least with current browser implementations) that they trust every
certificate signed by your CA, even if you hand out certificates for
www.bigbank.com or www.ebay.com...
Yes, that sounds correct.
Though a CA can sign other CAs and thereby build longer CA-chains it is
more common in Inhouse-CAs to directly sign end-user (or "end-server")
certificates. And as explained above the self signed certificate of the
root CA has to be distributed.

The approach described by you is a more secure but less practical way.
You typically do this if you are Thawte or Verisign and your root
certificate has to have a very late expiery date, like 25 years from
now. Then it is better to keep the root CA's private(!) keys very very
secure in a bank vault and only use it once a year to sign certificates
for some sub-CAs, which expire in a year or so and are then used to sign
end-user certificates. Now if one of the sub-CAs compromises its private
key, only the certificates singed by this particular sub-CA are void,
and not possibly those of ten or twenty years of work.
But still the root CA's certificate (which apart from management
information primarily contains its signed public(!) key part) has to be
distributed, in the case of Thawte etc. to Bill, the Mozilla project and
people like that.
I think you are already rather close.

Ted
;)

Joel,

you seem to be a bit confused about PKI matters, and among others
what's considered private and what's considered public.

Let me start with the private vs. public part: private keys are
designed to be kept private by the owner. Certificates (which contain
the public key) are designed to be public and to be given out to
anyone who needs it or is interested.

Also, a small detail: CA certificates aren't used to sign with, the
private keys are. You use CA certificates to validate a signature in
any certificate issued by that CA (this puts it simply, since there
are other data that are checked between certificates, but the
signature check is still the most important thing).

Now, the way things work with a X.509/PKIX flavor of PKI, you validate
a certificate (any kind of certificate, be it a user certificate, a
server certificate or whatever kind of certificate we're able to
invent) by checking it against an issuing cerificate (a CA
certificate), among others by checking that the signature in the
current certificate can be verified using the public key in the
issuing certificate. This is done all the way to the top (the root
certificate).

To be able to do a proper certificate validation, you therefore need
all the certificates in the chain, from the certificate you want to
validate to the root certificate that starts (or ends, depending on
your point of view) the chain. This holds true for anyone who needs
to validate your server certificate as well as any certificate your
server needs to validate.

So, to directly answer your questions:

rees> What I'm trying to ask, if I can get it right this time, is
rees> whether a root CA will be passing its own self-signed
rees> certificate out.

Yes, in one form or another.

rees> I think I've figured it out, by the way. In the case of the web
rees> server, the self-signed certificate is not intended for
rees> certifying the web site, but for certifying the certificate(s)
rees> of (a) web site(s), which is why two are necessary.

That's correct. Those aren't two CA certificates, though. The root
certificate is the CA certificate, while the server certificate is a
EE (End Entity) certificate. You confused the matter for yourself
earlier by talking about "two CA certificates".

rees> But in the case of a CA, the certificate is for signing
rees> certificates for other CAs and won't be given out otherwise. But
rees> it would be given out with the signed certificates for the
rees> subordinate CAs.

This is confusing. Either you're publishing a certificate or you
aren't. It doesn't matter if it's bundled with subordinate
certificates or not. And either way, if you want others to be able to
validate a certificate issued by the subordinate CAs, you need to
publish the root CA certificate as well.

rees> But if the root CA machine is also signing server certificates
rees> (which it should not, but that's another story), it should have
rees> a separate certificate for signing certificates for servers.
rees> Should also have a separate piece of the directory tree to do it
rees> in.

You are confusing the matter. It seems like you're saying the CA
should split in two, one that signs subordinate CAs and one that signs
your server certificate. Now, the question is, when you split that CA
in two, are you actually creating an entirely different CA that uses
the same key, or are you in fact creating another subordinate CA
(using the same key?)?

You might want to draw a tree that shows how the root CA, subordinate
CAs and other entities are related to each other. A picture does say
more than a thousand words, and I've already spent a few hundred of
them :-).

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte richard-***@public.gmane.org
http://richard.levitte.org/

"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org