share
CryptographyMust root certificates be self signed?
[+10] [2] user27950
[2015-09-27 08:38:48]
[ certificates pki ]
[ https://crypto.stackexchange.com/questions/29427/must-root-certificates-be-self-signed ]

Root certificates are normally self-signed. What is the reason behind that convention? I mean, one must trust the root certificate in a non cryptographic way anyhow.

security.stackexchange.com/a/54267/49075 $\;$ - user991
[+11] [2015-09-27 09:53:17] fgrieu [ACCEPTED]

Among the reason why root public keys are often expressed as a self-signed certificate are:

  1. It cryptographically protects against a deliberate alteration of an attribute of the public key (e.g. extension of validity period, or of what the key can be used for).
  2. It strongly protects against accidental alteration of the public key value.
  3. It is a reasonably effective countermeasure against some deliberate alterations of public key value or attributes, e.g. fault-injection attack.
  4. It makes it easier to have all public keys share a single common format, complete with attributes.
  5. Public keys are usually generated by an entity distinct from the entity or entities that will certify it, and thus if we want to leverage the above benefits must be self-signed at some point. Now if there is no authority to certify that key (as is the case for a root CA key in a system with a single and independent root CA), it will just stay that way.

However, not all implicitly trusted or root public keys exist as a self-signed certificate, much less exist only in this form. For example, the public key of the European Root Certification Authority of the Digital Tachograph system [1] is not available as a self-signed certificate (which could be made), for good reasons:

  • the relevant legal text [2] does not provide that the key could be used to certify itself:

    [CSM_007] At European level, a single European key pair (EUR.SK and EUR.PK) shall be generated. The European private key shall be used to certify the Member States public keys. Records of all certified keys shall be kept. These tasks shall be handled by a European certification authority, under the authority and responsibility of the European Commission.

  • there would be a chicken-and-egg problem accessing the content of an hypothetical self-signed certificate of that key, for Digital Tachograph certificates use a signature scheme with message recovery (as many Card Verificable Certificates [3] do), and part of the public key is in the recoverable part of the signed message.
[1] https://dtc.jrc.ec.europa.eu/dtc_erca_official_documentation.php
[2] http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01985R3821-20141101#page=317
[3] http://en.wikipedia.org/wiki/Card_Verifiable_Certificate

1
[+4] [2015-10-01 22:12:39] Wim Lewis

There is no need for a trust anchor to be distributed as a certificate at all, let alone a self-signed one. The certificate path validation requirements in RFC5280 make this reasonably clear; it even says in ยง6.2:

The path validation algorithm presented in Section 6.1 does not assume that trust anchor information is provided in self-signed certificates

However, a certificate is a standardized format that can contain the information needed about a trust anchor, and which any implementation is obviously going to have to have the ability to parse anyway, so it's a very common way to represent and to distribute trust anchors.


2