View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000680910000-006: MappingsSpecpublic2021-04-12 13:572022-09-27 12:26
ReporterChristian Zugfil Assigned ToRandy Armstrong  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Summary0006809: Clarify content of self-signed end-entity certificates
Description

The reference to RFC 3280 in Part 6 was updated to RFC 5280 in Issue 0006383. This is relevant because of clarifications made in the newer release regarding the use of self-signed certificates as end-entity certificates.

From https://tools.ietf.org/html/draft-ietf-pkix-rfc5280-clarifications-11:
| Consistent with Section 3.4.61 of X.509 (11/2008) [X.509] we note
| that use of self-issued certificates and self-signed certificates
| issued by other than CAs are outside the scope of this specification.
| Thus, for example, a web server or client might generate a self-
| signed certificate to identify itself. These certificates, and how a
| relying party uses them to authenticate asserted identities, are
| both outside the scope of RFC 5280.

The RFC never covered the way self-signed certificates are often used in OPC UA applications and made this clear in the updated RFC.

Since the security working group recently had discussions about the contents of self-signed end-entitiy certificates (the CA flag in particular) and the RFC explicitly does not cover the use case, the OPC UA specification should cover these certificates in more detail.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0008357 closedRandy Armstrong Requirement on CA Flag for self-signed certificates is a potential security risk 

Activities

Randy Armstrong

2021-08-14 02:26

administrator   ~0014741

Added:

Identifies whether the subject of the Certificate is a CA and the maximum depth of valid chains that include this Certificate.
Shall be FALSE for Certificates issued by a CA.
Should be FALSE for self-signed Certificates, however, TRUE shall be accepted to ensure backward interoperability.
The pathLength shall always be 0

to Table 38 in OPC 10000-6 - UA Specification Part 6 - Mappings 1.05.3 RC

Jim Luth

2021-08-31 16:15

administrator   ~0014788

Agreed to changes edited in 1.05.01 Draft 4.

Issue History

Date Modified Username Field Change
2021-04-12 13:57 Christian Zugfil New Issue
2021-04-13 16:09 Jim Luth Assigned To => Randy Armstrong
2021-04-13 16:09 Jim Luth Status new => assigned
2021-08-14 02:26 Randy Armstrong Status assigned => resolved
2021-08-14 02:26 Randy Armstrong Resolution open => fixed
2021-08-14 02:26 Randy Armstrong Note Added: 0014741
2021-08-31 16:15 Jim Luth Status resolved => closed
2021-08-31 16:15 Jim Luth Note Added: 0014788
2022-09-27 12:26 Alexander Allmendinger Relationship added related to 0008357