0009047: Self-signed certificates shall have keyCertSign but should not be CA : it is contradictory with the RFC referenced in the spec.

ID	Project	Category	View Status	Date Submitted	Last Update

0009047	10000-006: Mappings	Spec	public	2023-07-19 12:22	2024-03-21 22:47

Reporter	Nathan Lebeau	Assigned To	Randy Armstrong
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.05.04 RC1

Summary	0009047: Self-signed certificates shall have keyCertSign but should not be CA : it is contradictory with the RFC referenced in the spec.
Description	The OPCUA Specification v1.05 Part 6 section §6.2.2 / table 43 specifies that : Self-signed Certificates shall also include keyCertSign. The cA flag should be FALSE for self-signed Certificates, however, TRUE shall be accepted to ensure backward interoperability. In the section §6.2.1 it is specified that "Certificates [...] shall also conform to RFC 5280" and the RFC 5280 section §4.2.1.3 states that: If the keyCertSign bit is asserted, then the cA bit in the basicConstraints extension (Section 4.2.1.9) MUST also be asserted. Therefore it seems the backward interoperability version is the only version compliant with RFC 5280. And the specification part 6 should be fixed to avoid the contradiction between OPC UA specification and RFC.
Tags	No tags attached.

Commit Version	1.05.04 RC
Fix Due Date	2023-11-01

Jim Luth 2023-07-25 15:14 administrator ~0019718	Need to clarify in spec to reduce these errant Mantis issues.

Randy Armstrong 2023-10-17 08:04 administrator ~0020197	Added text to 1.05.04: Note that RFC 6818 updates RFC 5280 and explicitly states that self-signed Certificates used as end-entity Certificates are outside the scope of RFC 5280. This means the requirement that the CA flag be FALSE for ApplicationInstance Certificates does not violate RFC 5280 requirements

Jim Luth 2024-03-21 22:47 administrator ~0021002	Agreed to changes in Dallas F2F.

Date Modified	Username	Field	Change
2023-07-19 12:22	Nathan Lebeau	New Issue
2023-07-25 15:14	Jim Luth	Note Added: 0019718
2023-07-25 15:14	Jim Luth	Assigned To	=> Randy Armstrong
2023-07-25 15:14	Jim Luth	Status	new => assigned
2023-07-25 15:15	Jim Luth	Commit Version	=> 1.05.04 RC
2023-07-25 15:15	Jim Luth	Fix Due Date	=> 2023-11-01
2023-10-17 08:04	Randy Armstrong	Status	assigned => resolved
2023-10-17 08:04	Randy Armstrong	Resolution	open => fixed
2023-10-17 08:04	Randy Armstrong	Fixed in Version	=> 1.05.04 RC1
2023-10-17 08:04	Randy Armstrong	Note Added: 0020197
2024-03-21 22:47	Jim Luth	Status	resolved => closed
2024-03-21 22:47	Jim Luth	Note Added: 0021002