[cabfcert_policy] Distinction between Intermediate CAs and Subordinate CAs
Dimitris Zacharopoulos
jimmy at it.auth.gr
Sat Feb 20 15:07:50 MST 2016
Hello everyone,
Please forgive me if this topic has been discussed before.
There was a recent post in the mozilla-dev-security-policy list
regarding the definitions of Certification Authority, Root CA,
Subordinate CA, Intermediate CA. According to the current definitions of
the BR, we have the following:
* *Certification Authority:*An organization that is responsible for
the creation, issuance, revocation, and management of Certificates.
The term applies equally to both Roots CAs and Subordinate CAs.**
* *Root Certificate:*The self-signed Certificate issued by the Root CA
to identify itself and to facilitate verification of Certificates
issued to its Subordinate CAs.
* *Subordinate CA:*A Certification Authority whose Certificate is
signed by the Root CA, or another Subordinate CA.
There is no definition of an "Intermediate Certificate" or an
"Intermediate CA Certificate" in the BRs or the EV Guidelines. In fact,
the word "intermediate" does not exist in any of the two documents.
It is very clear that a Certification Authority is an organization,
mainly the organization that controls the Root Certificate private key.
Does this mean that a "Subordinate CA" is a _different_ organization
which is non-affiliated with the Certification Authority that controls
the Root Certificate private key?
When a CA that controls the Root Certificate private key, issues an
Certificate (which contains an X.509v3 basicConstraints extension, with
the cA boolean set to true) and which is controlled by the same
organization that controls the Root key, what is the proper definition
for this Certificate? Is it a Subordinate CA Certificate, an
Intermediate CA Certificate or is it called something different?
I had several discussions with people involved in other CAs and there
seems to be some confusion with this term (intermediateCA/subordinateCA)
which is why I believe it would be nice to add a definition for
"Intermediate CA Certificates" or "Intermediate CAs" in section 1.6.1 of
the BR. This ambiguity is also noted in a wikipedia definition of
"intermediate certificate authorities"
<https://en.wikipedia.org/wiki/Intermediate_certificate_authorities>. I
made an attempt to write a definition hoping to clarify this issue.
*"Intermediate CA Certificate:*A Certificate issued by a Root
Certificate or another Intermediate CA Certificate which is deemed as
capable of being used to issue new certificates and which contains an
X.509v3 basicConstraints extension, with the cA boolean set to true. If
an Intermediate CA Certificate is issued to a non-affiliated
organization, then this Intermediate CA Certificate is also referred to
as an Intermediate CA Certificate of a Subordinate CA".
I would appreciate any feedback/comments regarding this issue.
All the best,
Dimitris Zacharopoulos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160221/5c9df5da/attachment.html
More information about the Policyreview
mailing list