Re: [ebxml-cppa] How to allow/disallow self-signed certificates?

[Sacha Schlegel <sacha@schlegel.li>]

Hi ebXML CPPA team.

The ebXML CPPA spec actually suggests ('may be added' -> I do not know
how to do it otherwise though except some new SecurityPolicy setting) to
add the "other parties self-signed" certificates to this parties
appropriate TrustAnchors.

Appendix 5 section "E.5.2.3 DocExchange Checks for
BusinessTransactionCharacteristics" in paragraph starting at line 7162.

So that confirms me to add them to the appropriate TrustAchnors element.

The question how we can specify in a CPP to allow self-signed
certificates is still open. Clearly an option is to not express it in
the CPP and let it be negotiated (manually or electronically) in the CPA
formation process. A clear directive such as
"AllowSelfSignedCertificates" could help the CPA formation process.

Sacha

Am Sonntag, den 18.02.2007, 11:31 +0100 schrieb Sacha Schlegel:
> Hi ebXML CPPA team
> 
> I wanted to note an observation I made. Often self-sigend certificate
> are great to setup a test environment where certificates are used.
> Whether to allow self-signed certificates in a production system is
> another discussion and some argue against it.
> 
> OK to enable self-signed certificates in the CPA we must add the "other
> parties" certificate to our SecurityDetails element because we only
> trust certificates that have been signed by one of the certificates
> listed in the appropriate SecurityDetails and a self-signed certificate
> (as the name indicates) is signed by itself.
> 
> -------------------------------------example-----------------------------
> * Party A:
> 
> certificate A-1
> certificate A-2
> 
> trust A-trust
>   * certificate B-1
> 
> transport A-t
>   use ssl version 3.0
>   when receiving use certificate A-1 as server SSL cert
>   when receiving only trust a client SSL cert that has been signed by
> one of the certs listed in trust A-trust 
> 
> * Party B:
> 
> certificate B-1
> certificate B-2
> 
> trust B-trust
>   * certificate A-1
> 
> transport B-t
>   use ssl version 3.0
>   when sending use certificate B-1 as client SSL cert
>   when sending only trust the server cert that was sigend by one of
> trust B-trust
> 
> -------------------------------------example-----------------------------
> 
> Actually two interesting observations
> 
> a) If B sends an ebXML message to A it can determine the SSL server
> certificate that A will be using (must look at the appropriate place in
> the other PartyInfo). So there will be two checks required: 1. The SSL
> Server certificate of A must match the one in the CPA AND 2. the SSL
> Server certificate must be signed by one of trust B-trust.
> 
> -> clearly check number 2 can be done at CPA import time and a system
> can reject to import the CPA if the server certificate is not signed by
> one of the trust certificates. But I think this check must still be done
> at run time.
> 
> b) in case of allowed self-signed certificates the cpa formation process
> does need to update the trust elements (the SecurityDetails element in
> the real CPA) and must add the "others" SSL Server, SSL Client
> certificate to the trust (SecurityDetails/TrustAnchor) element.
> 
> More thoughs:
> 
> Question: How to express to accept self-signed certificates in the CPP.
> 
> Answer: I think the optional SecurityPolicy element could be used for
> this, to allow self-signed cert (for a test setup useful) or not.
> Unfortunately the SecurityPolicy element is an empty sequence.
> 
> Suggestion: A new element could be added to the SecurityPolicy element.
> Eg an optional element such as "AllowSelfSignedCertificates"? The
> absence of this element could mean to NOT trust self-signed
> certificates.
> 
> Thoughts?
> 
> Sacha Schlegel
> 
>