OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-cppa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: How to allow/disallow self-signed certificates?

Hi ebXML CPPA team

I wanted to note an observation I made. Often self-sigend certificate
are great to setup a test environment where certificates are used.
Whether to allow self-signed certificates in a production system is
another discussion and some argue against it.

OK to enable self-signed certificates in the CPA we must add the "other
parties" certificate to our SecurityDetails element because we only
trust certificates that have been signed by one of the certificates
listed in the appropriate SecurityDetails and a self-signed certificate
(as the name indicates) is signed by itself.

* Party A:

certificate A-1
certificate A-2

trust A-trust
  * certificate B-1

transport A-t
  use ssl version 3.0
  when receiving use certificate A-1 as server SSL cert
  when receiving only trust a client SSL cert that has been signed by
one of the certs listed in trust A-trust 

* Party B:

certificate B-1
certificate B-2

trust B-trust
  * certificate A-1

transport B-t
  use ssl version 3.0
  when sending use certificate B-1 as client SSL cert
  when sending only trust the server cert that was sigend by one of
trust B-trust


Actually two interesting observations

a) If B sends an ebXML message to A it can determine the SSL server
certificate that A will be using (must look at the appropriate place in
the other PartyInfo). So there will be two checks required: 1. The SSL
Server certificate of A must match the one in the CPA AND 2. the SSL
Server certificate must be signed by one of trust B-trust.

-> clearly check number 2 can be done at CPA import time and a system
can reject to import the CPA if the server certificate is not signed by
one of the trust certificates. But I think this check must still be done
at run time.

b) in case of allowed self-signed certificates the cpa formation process
does need to update the trust elements (the SecurityDetails element in
the real CPA) and must add the "others" SSL Server, SSL Client
certificate to the trust (SecurityDetails/TrustAnchor) element.

More thoughs:

Question: How to express to accept self-signed certificates in the CPP.

Answer: I think the optional SecurityPolicy element could be used for
this, to allow self-signed cert (for a test setup useful) or not.
Unfortunately the SecurityPolicy element is an empty sequence.

Suggestion: A new element could be added to the SecurityPolicy element.
Eg an optional element such as "AllowSelfSignedCertificates"? The
absence of this element could mean to NOT trust self-signed


Sacha Schlegel

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]