[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: How to allow/disallow self-signed certificates?
Hi ebXML CPPA team I wanted to note an observation I made. Often self-sigend certificate are great to setup a test environment where certificates are used. Whether to allow self-signed certificates in a production system is another discussion and some argue against it. OK to enable self-signed certificates in the CPA we must add the "other parties" certificate to our SecurityDetails element because we only trust certificates that have been signed by one of the certificates listed in the appropriate SecurityDetails and a self-signed certificate (as the name indicates) is signed by itself. -------------------------------------example----------------------------- * Party A: certificate A-1 certificate A-2 trust A-trust * certificate B-1 transport A-t use ssl version 3.0 when receiving use certificate A-1 as server SSL cert when receiving only trust a client SSL cert that has been signed by one of the certs listed in trust A-trust * Party B: certificate B-1 certificate B-2 trust B-trust * certificate A-1 transport B-t use ssl version 3.0 when sending use certificate B-1 as client SSL cert when sending only trust the server cert that was sigend by one of trust B-trust -------------------------------------example----------------------------- Actually two interesting observations a) If B sends an ebXML message to A it can determine the SSL server certificate that A will be using (must look at the appropriate place in the other PartyInfo). So there will be two checks required: 1. The SSL Server certificate of A must match the one in the CPA AND 2. the SSL Server certificate must be signed by one of trust B-trust. -> clearly check number 2 can be done at CPA import time and a system can reject to import the CPA if the server certificate is not signed by one of the trust certificates. But I think this check must still be done at run time. b) in case of allowed self-signed certificates the cpa formation process does need to update the trust elements (the SecurityDetails element in the real CPA) and must add the "others" SSL Server, SSL Client certificate to the trust (SecurityDetails/TrustAnchor) element. More thoughs: Question: How to express to accept self-signed certificates in the CPP. Answer: I think the optional SecurityPolicy element could be used for this, to allow self-signed cert (for a test setup useful) or not. Unfortunately the SecurityPolicy element is an empty sequence. Suggestion: A new element could be added to the SecurityPolicy element. Eg an optional element such as "AllowSelfSignedCertificates"? The absence of this element could mean to NOT trust self-signed certificates. Thoughts? Sacha Schlegel
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]