Talk:X.509

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computing: Networking / Websites Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles Low This article has been rated as Low-importance on the project's importance scale. This article is supported by Networking task force (assessed as High-importance). This article is supported by WikiProject Websites (assessed as Mid-importance). This article is supported by WikiProject Computer Security (assessed as High-importance). Things you can help WikiProject Computer Security with: edit history watch purge Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

The only cited reference doesn't actually seem to have been a source for the article, as it is actually about a compromise of the mechanism, and, although it may cover some of the facts in passing, it certainly doesn't cover most of them.

I've moved it to external links.

It was:

Arjen Lenstra, Xiaoyun Wang and Benne de Weger, Colliding X.509 Certificates, 1 March 2005, ePrint archive, [1].

--David Woolley 11:27, 15 November 2005 (UTC)[reply]

I've added a line about the X.509 certificate collision, and so moved the citation back to the "References" section. &mdash; Matt <small>Crypto</small> 12:36, 15 November 2005 (UTC)[reply]

There is still a problem that all but one paragraph lacks sources. Unfortunately, there doesn't seem to be a template for this article's references are largely incomplete. --David Woolley 12:47, 15 November 2005 (UTC).[reply]

This article was linked from another article (the latter in "common-man's" English).

But after two quick glances my eyes just glazed over.

There's got to be a better way.... --angrykeyboarder (a/k/a:Scott) 14:03, 4 September 2006 (UTC)[reply]

Thought people should be informed that the "better way" link mentioned above takes one to a commercially supported website named "webopedia.com"; "commercial" in the sense that that are numerous ads on the site. I would agree that the quality of this X.509 article needs improving - both for the "common man" as well as the computer science learner and/or practitioner. Dan Aquinas (talk) 18:11, 31 May 2012 (UTC)[reply]

As of Internet Explorer 7 CRL validation is on by default. —Preceding unsigned comment added by 24.232.96.62 (talk) 03:19, 7 October 2007 (UTC)[reply]

In addition to the article's dependence on specific contextual background knowledge, without which it's mostly gibberish, the article suffers severely from UAD (Unexplicated Acronym Disorder) by frequently using acronyms without ever presenting what these stand for. — Preceding unsigned comment added by 207.86.52.36 (talk) 16:05, 30 September 2011 (UTC)[reply]

Much of this article is written in a casual style, especially this paragraph:

This is an example of a self-signed certificate; note that the issuer and subject are the same. There's no way to verify this certificate except by checking it against itself; we've reached the top of the certificate chain. So how does this certificate become trusted? Simple - it's manually configured. Thawte is one of the root certificate authorities recognized by both Microsoft and Netscape. This certificate comes with the web browser (you can probably find it listed as "Thawte Server CA" in the security settings); it's trusted by default. As a long-lived (note the expiration date), globally trusted certificate that can sign pretty much anything (note the lack of any constraints), its matching private key has to be one of the most closely guarded in the world.

I lack enough knowledge of the subject matter to rewrite it though... —Preceding unsigned comment added by 64.112.227.142 (talk) 00:50, 12 December 2007 (UTC)[reply]

I rewrote X.509#Sample X.509 certificates; I'll leave the tone tag so somebody else can look at it. MoraSique (talk) 00:14, 9 July 2008 (UTC)[reply]

Looks fine to me; I removed the maintenance tag. grendel|khan 14:04, 28 August 2008 (UTC)[reply]

The Certificates section suggests that large CA venders paid fee to make their root certificates pre-installed. On the other hand, a web page from the Mozilla Project clearly states no such fee. I see that pre-installation requires some kind of audit, such as WebTrust, and CA venders might pay money to the auditor. It would be great if some parts of the section is rewritten, so that readers will not get confused.Iida-yosiaki (talk) 14:11, 13 February 2009 (UTC)[reply]

How on earth did we get over 100 root certificates, all trusted unconditionally to authenticate any site whatsoever? Can someone please explain to me how https is any more secure than plain old http? Deepmath (talk) 22:35, 1 August 2009 (UTC)[reply]

Isn't authentication a job for government, rather than private enterprise? Private enterprise isn't going to authenticate anybody unless there's money in it, and their attitude is that

more money == better authentication

What if all the private driving schools in the US issued their own drivers' licenses, and for $300 extra, I could get a super-duper extended secure driver's license that proved it was actually me driving my car, and not some illegal alien? Or what if I had to renew my driver's license every year so the DMV could make more money? Deepmath (talk) 01:05, 2 August 2009 (UTC)[reply]

Article could benefit from a criticism section. The recent certificate attacks on Comodo and DigiNotar are the system showing some strain. http://dankaminsky.com/2011/08/31/notnotar/ suggests he's been criticizing the standard for years, maybe others have meaningful things to say here too. — Preceding unsigned comment added by 204.87.16.4 (talk) 12:08, 1 September 2011 (UTC)[reply]

Why do you say dv certs are junk certs? EV is the same, just more expensive. Every CA can be promised and DV is the only thing that can be technically verified to ensure that the ssl connection to that given domain is not intercepted. --217.229.5.160 (talk) 05:55, 7 September 2012 (UTC)[reply]

Some troll is adding necessaries citations needed on every paragraph for no reason. --200.123.176.161 (talk) 15:29, 12 October 2012 (UTC)[reply]

If you are going to toss around acronyms, at least define them or link to a defining article. — Preceding unsigned comment added by 66.168.159.111 (talk) 21:14, 5 August 2014 (UTC)[reply]

The following text was added to "Certificate chains and cross-certification" section in 18-05-2015:

certificate "User 1" is signed by "CA1" and the corresponding private key. But there are two different certificates named "CA 1", each of which has been signed differently. "User 1" does not contain the serial number of the signing certificate, either will suffice so long as they have the correct public key.

An X.509 certificate contains its own serial number, but is not required to include the serial number of the CA certificate used to sign it. Even if it was included, the algorithm defined in RFC5280 (Chapter 6) would ignore it when validating the certificate chain. Serial numbers are used for checking CRLs, but they are not relevant for explaining the basics of certificate chains, so I think that paragraph should be removed. M. Quijada 14:20, 1 September 2015 (UTC) — Preceding unsigned comment added by Manuel.quijada.serrano (talk • contribs)

Hello fellow Wikipedians,

I have just modified 2 external links on X.509. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive http://web.archive.org/web/20130103202328/http://www.ssltools.com:80/certificate_lookup to http://www.ssltools.com/certificate_lookup
• Added archive http://web.archive.org/web/20130108010738/http://www.ssltools.com:80/manager to http://www.ssltools.com/manager

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 13:31, 21 July 2016 (UTC)[reply]

The article says the following:

The expiration date should be used to limit the time the key strength is deemed sufficient^{[dubious – discuss]}. This parameter is abused by certification authorities to charge the client an extension fee^{[citation needed]}.

This is bad advice. Without an expiration date, the size of the CRL will grow in an unbounded fashion, which is unacceptable for all but the smallest CAs. The absence of a reasonable expiration date would also make it difficult to force switches to new CA root certificates and decommission old ones. I recommend this language be removed. Darco (talk) 23:27, 12 June 2018 (UTC)[reply]

With no regard to the relative merits or demerits of the statement itself, I strongly agree this line should be removed and, as no one has raised any reasonable counter-argument for keeping it in over a year since this was pointed out, have done so. The entire thing read as unsourced editorializing and a blatant violation of WP:NPOV. If someone wishes to reinstate it, they should rephrase it with citation to a notable source that presents this viewpoint. Dorm41baggins (talk) 16:15, 19 September 2019 (UTC)[reply]

In the 4th para of the Certificates section of this article, it talks about browsers and certificates. Chrome at al (at least on Windows) just leverage the Windows certificate store not some separate store. So if I have a CA Cert from RougeCert.EvilDudes.Com and install it in one of the trusted root stores - Chrome will happily go to an HTTPS site with a certificate issued by EvilDudes. This section could be rewritten to discuss MSFT's trusted root programme (Microsoft does not charge a fee for including a CA's certificates. See https://technet.microsoft.com/en-gb/library/cc751157.aspx?f=255&MSPPError=-2147217396).

The article says that MD2 was vulnerable to a preimage attack, but I haven't found any reference to this. The Wikipedia page says the reverse---that no efficient attack was ever discovered. Simsong (talk) 01:01, 11 September 2020 (UTC)[reply]

This edit updated the sample end-entity certificate but not the intermediate or root certificates, however the text indicates these are supposed to form a single chain, which makes for a better example for those learning this stuff.

As it is, the end-entity certificate used has expired now, and it also appears wikipedia isn't using Let's Encrypt anymore, so I think the easiest thing would be to replace all three samples with the current certificate chain.

I'm not confident enough with x509 to update the page directly, but I did want to propose the update here. Unfortunately, I don't currently have network access with the right tools. I think it basically just needs the output of running openssl s_client -showcerts -connect www.wikipedia.org:443. --Hoprit (talk) 15:14, 25 January 2022 (UTC)[reply]

Easier: revert to the old certificate, which continues to serve as a fine example, right? I've gone ahead and done that. Now other previously incorrect mentions like "GlobalSign", which did need updating, are correct again - bonus.

Anyway, if someone does want to properly update the page to use current certs, go for it! But this problem would simply come up again in the future, I think, so until there are significant changes to x509 in general I think we may as well continue using the 2016 example. 137.94.177.61 (talk) 18:28, 7 October 2022 (UTC)[reply]

It’s been broken for well over a year. The link reports a database connection error and the root site says it’s being migrated. 2600:8803:74A3:E600:A90F:7D7C:4F36:F67F (talk) 17:42, 3 December 2022 (UTC)[reply]

Removed. Thanks for the suggestion! Brandon (talk) 07:51, 5 December 2022 (UTC)[reply]