Self-signed certs vs Issuer CN requirement (Issuer≠Subject conflict) #364
Description
While trying implement the OSP certificate requirements in Rust (https://github.com/youtube/openscreen-rs), I ran into difficulty creating self-signed certificats in the way the spec demands.
The spec states that certificates are self-signed, while also requiring:
- Subject CN = agent hostname
- Issuer CN = model-name
When trying to implement this with the rcgen crate, rcgen generates self-signed certificates with Issuer == Subject, which makes it impossible to satisfy both “self-signed” and “Issuer CN = model-name” while also keeping “Subject CN = hostname”.
It seems this design is unusual to the point that is can be incompatible with assumptions in existing tooling/libraries. Implementers may be unable to comply with the spec as written using standard X.509 tooling.
(I'm not proposing a solution yet, just flagging the ambiguity that seems to block straightforward compliant implementations.)