Peter Williams <P(_dot_)Williams(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk> asks
"It was once put to me that a self-signed RSA, or other public-key cipher,
X.509 Certificate is a security risk.
Is there any truth in this statement?"
--------------
Signing your own certificate provides no additional information other than you
are in possession of the "private" key of the key pair one key of which is the
"public" one contained in the certificate.
We, the OSI Directory group, defined the certificate to validate the binding of
the name object to the key. Supposed you saw or received a published or
distributed certificate saying that here is Bill Clinton's public key and that
certificate was signed using the matching private key. Supposed you then
received a message stating that in order to kick start the economy you had
been chosen to receive a million dollars to spend as you wish, and to receive
your million, please show up at the White House on Sunday. You validate the
message signature using the public key from Bill's certificate. It's good.
Would you immediately buy airplane tickets to DC. If so, I know of some Arizona
river bottom land you might be interested in buying.
The purpose of the certificate is to have a trusted authority (one you know and
trust) validate the binding of an object to that object's public key. If you
don't know, and therefore should not trust, the signer of the certificate, then
somewhere there should be another certificate of the signer of that first
certificate containing the key you want to use for validation. This chain can
go on until there is a certificate created by a agency you trust. This trust
might come because the key is published by the White House in many magazines,
newspaper, and computer networks. If that key was used to sign Bill's
certificate, or some certificate up the chain, you can reasonably trust Bill's
certificate. (I would probably still call about the million.)
If the OSI directory group had just wanted to be able to publish public keys
for objects, we would have just created an attribute to hold the key in the
directory. We would have also just stuck the public key in the protocol along
with the signed message.
Granted this could be used to verify that the message was as it had been sent,
i.e., message integrity had been maintained. But such an approach would be
shaky for confidentiality - only the holder of the private key could read the
message concealed with the public key; but is that holder who I think it is?
And such an approach totally invalidates data origin authentication.
So, is a self signed certificate a security risk? No, but trusting one is.
My opinions come from my work with the OSI Directory group, the creators of the
much referenced X.509. I am only just now coming up to speed on what is
happening in the PEM community. I blissfully assuming that the X.509 intentions
still hold up here.
hoyt