View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000835710000-006: MappingsSpecpublic2022-09-27 12:262023-01-24 17:26
ReporterAlexander Allmendinger Assigned ToRandy Armstrong  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.05.01 
Fixed in Version1.05.03 RC1 
Summary0008357: Requirement on CA Flag for self-signed certificates is a potential security risk
Description

We see products which are not accepting self-signed certificates which have the CA Flag set to TRUE due to security concerns. The specification in 1.05 states:
The CA flag should be FALSE for self-signed Certificates, however, TRUE shall be accepted to ensure backward interoperability.
If the CA flag is TRUE for self-signed ApplicationInstance Certificates, then the pathLength shall be 0.

The security concern is about the requirement to accept self-signed certificates where the CA Flag is set to TRUE for backward interoperability. Is this a hard requirement or should such certificates rather be rejected by default with a configuration option to accept them (individually).

In any case the requirement changes need to be pushed back to 1.04 as well.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0006809 closedRandy Armstrong Clarify content of self-signed end-entity certificates 
related to 0008370 closedRandy Armstrong Requirement on CA Flag for self-signed certificates is a potential security risk 

Activities

Bernd Edlinger

2022-09-28 04:38

reporter   ~0017866

I don't see what security concern that may be, since a self-signed certificate alone is not enough
to trust any certificate that was issued by such a self-signed certificate, since there must be
also be a CRL issued by that self-signed certificate and explicitly installed by the server admin
into the trusted_crls folder, that can hardly be done by accident.

Randy Armstrong

2022-09-29 14:18

administrator   ~0017890

Agreed to update text in 1.05 and produce errata for 1.04.

Randy Armstrong

2022-12-28 10:22

administrator   ~0018363

Updated 6.2.2 to require that cA flag = FALSE for ApplicationInstance Certificates.

Created 1.04 errata.

Jim Luth

2023-01-24 17:26

administrator   ~0018574

Agreed to changes in web meeting.

Issue History

Date Modified Username Field Change
2022-09-27 12:26 Alexander Allmendinger New Issue
2022-09-27 12:26 Alexander Allmendinger Relationship added related to 0006809
2022-09-27 12:28 Alexander Allmendinger Description Updated
2022-09-28 04:38 Bernd Edlinger Note Added: 0017866
2022-09-28 12:04 Paul Hunkar Assigned To => Randy Armstrong
2022-09-28 12:04 Paul Hunkar Status new => assigned
2022-09-28 12:04 Paul Hunkar Summary Requirement on cA Flag for self-signed certificates is a potential security risk => Requirement on CA Flag for self-signed certificates is a potential security risk
2022-09-28 12:04 Paul Hunkar Description Updated
2022-09-29 14:18 Randy Armstrong Note Added: 0017890
2022-09-29 14:19 Randy Armstrong Issue cloned: 0008370
2022-09-29 14:19 Randy Armstrong Relationship added related to 0008370
2022-12-28 10:22 Randy Armstrong Status assigned => resolved
2022-12-28 10:22 Randy Armstrong Resolution open => fixed
2022-12-28 10:22 Randy Armstrong Fixed in Version => 1.05.03 RC1
2022-12-28 10:22 Randy Armstrong Note Added: 0018363
2023-01-24 17:26 Jim Luth Status resolved => closed
2023-01-24 17:26 Jim Luth Note Added: 0018574