Assumptions about self signed state about asn1crypto HOT 4 CLOSED

To quote from rfc 5280 section §3.2:
Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self-signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths.

So in my opinion, the property could be renamed self_issued and made a bool. In absense of the Authority + Subject Key identifiers, the non-extension issuer+subject fields could be compared.

self_signed, with actual verification of the signature, is probably out of scope for asn1crypto. It's an ASN.1 library without any dependencies. So there is no access to crypto libs that would be required to verify the signature.

from asn1crypto.

The self_issued property is there already and seems fine to me. I agree to an extent that self_signed is out of scope, but I also think it's a nice property for the cert to be able to carry with it, which I imagine is why Will put it there. Setting it to maybe instead of yes will cause the code in CertValidator to do the crypto (which is exactly where we should be doing the verification) instead of assuming the signature is valid without checking. There is still no crypto being performed in asn1crypto in any case - it's up to the consumer of the cert to do what it will with the 'maybe'.

from asn1crypto.

For backwards compatibility, it probably makes sense that self_signed can only be no or maybe. Just never return the yes value any longer. That way we don't break the API, but also aren't misleading people.

from asn1crypto.

This should be resolved by 7647163

from asn1crypto.