[cabfcert_policy] Distinction between Intermediate CAs and Subordinate CAs

Peter Bowen pzb at amzn.com
Sat Feb 20 18:24:31 MST 2016 

> On Feb 20, 2016, at 4:50 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr> wrote:
> 
> On 21/2/2016 1:56 πμ, Peter Bowen wrote:
>> Dimitris,
>> 
>> I think you bring up a reasonable set of questions.  As you point out “Intermediate CA” is never used in the BRs, and is only used in the X.509 in a descriptive sense, so I don’t think we need to define it.
>> 
>> Here is how I think about things (which does not exactly align with the current definitions):
>> 
>> Certification Service Provider (CSP): An organization that is responsible for one or more Certification Authorities which issue and revoke Certificates.  
>> 
>> Certification Authority (CA): A specific issuer of certificates.  In the Internet PKI, each CA has a single distinct Distinguished Name (DN) and has a single defined CSP.
>> 
>> Root CA: A CA that the CSP designates as a "root".  By designating it as such, the CSP agrees that it follows the practices for Root CAs.
>> 
>> CA Certificate: A X.509 public key certificate containing a Basic Constraints extension with the cA component having the value TRUE
>> 
>> End-entity Certificate: A X.509 public key certificate that is not a CA Certificate
>> 
>> Self-issued Certificate: A CA certificate where the Issuer DN matches the Subject DN
>> 
>> Subordinate CA Certificate: A CA certificate where the Subject DN is not that of a Root CA
>> 
>> Cross Certificate: A CA certificate when the Issuer DN does not match the Subject DN
>> 
>> Trust Anchor: A Distinguished Name and Public Key pair that is used to validate the first certificate in a sequence of certificates.
>> 
>> This does not define “Subordinate CA”, but I think this is fine because that term alone is fairly useless.  You have requirements for all CA and then you have additional requirements for Root CAs.  I don’t think there is ever a situation where you have requirements that only apply to CAs which are not Root CAs.
>> 
>> Does this help at all?
>> 
>> Thanks,
>> Peter
> 
> Hello Peter,
> 
> Thank you for the clarifications. I am trying to get a better understanding of the current definitions as they are already described in the BRs  and mainly for the definition of a Subordinate CA. The BRs have certificate profiles specifically for Subordinate CA Certificates (section 7.1.2.2). If the Subordinate CA is an "organization" other than the organization that controls the Root CA (mainly described in the BR as "the CA"), then these profiles should be named profiles for "Intermediate CAs". There seems to be an inconsistency.

My Interpretation, for the purposes of 7.1.2.1 and 7.1.2.2, is:

Root CA Certificate: A self-issued certificate where the public key was generated as a Root CA Key Pair according to the provisions of 6.1.1.1, used only in accordance with 6.1.7, and is maintained in an offline state or air-gapped from all other networks (see Network & Certificate System Security Requirements 1.c).

Subordinate CA Certificate: Any CA certificate that is not a Root CA Certificate

> If we all agree that a subordinate CA refers to a different organization, other than the one controlling the Root, then we should have two types of "Intermediate CAs”:

No.  Subordinate CA can be the same organization as the Root CA.
> Intermediate CAs under the control of the CA that controls the private key of the Root (which could also have the anyPolicy OID)
> Intermediate CAs under the control of a subordinate CA (a different organization to the one controlling the private key of the Root) (which must have a specific policy OID)
> Perhaps it would help if someone tried to answer the two questions I posted in my first e-mail with the current official definitions of the BR.
> 
> "It is very clear that a Certification Authority is an organization, mainly the organization that controls the Root Certificate private key. Does this mean that a "Subordinate CA" is a different organization which is non-affiliated with the Certification Authority that controls the Root Certificate private key?”

No.  See 7.1.2.2; a Subordinate CA may be controlled by the same entity as the Root CA or a different entity.

> "When a CA that controls the Root Certificate private key, issues an Certificate (which contains an X.509v3 basicConstraints extension, with the cA boolean set to true) and which is controlled by the same organization that controls the Root key, what is the proper definition for this Certificate? Is it a Subordinate CA Certificate, an Intermediate CA Certificate or is it called something different?”

Subordinate CA Certificate

> I suppose if people have a hard time answering these questions, the policy working group must try to improve the definitions and the respective language of the BRs when it comes to subordinate CAs.

The BRs do need improvement in this area.  I’m not sure if it is in scope for this WG or not.

> 
> Best regards,
> Dimitris.
> 
>> 
>>> On Feb 20, 2016, at 2:07 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>>> 
>>> Hello everyone,
>>> 
>>> Please forgive me if this topic has been discussed before.
>>> 
>>> There was a recent post in the mozilla-dev-security-policy list regarding the definitions of Certification Authority, Root CA, Subordinate CA, Intermediate CA. According to the current definitions of the BR, we have the following:
>>> Certification Authority: An organization that is responsible for the creation, issuance, revocation, and management of Certificates. The term applies equally to both Roots CAs and Subordinate CAs.
>>> Root Certificate: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.
>>> Subordinate CA: A Certification Authority whose Certificate is signed by the Root CA, or another Subordinate CA.
>>> There is no definition of an "Intermediate Certificate" or an "Intermediate CA Certificate" in the BRs or the EV Guidelines. In fact, the word "intermediate" does not exist in any of the two documents.
>>> It is very clear that a Certification Authority is an organization, mainly the organization that controls the Root Certificate private key. Does this mean that a "Subordinate CA" is a different organization which is non-affiliated with the Certification Authority that controls the Root Certificate private key?
>>> When a CA that controls the Root Certificate private key, issues an Certificate (which contains an X.509v3 basicConstraints extension, with the cA boolean set to true) and which is controlled by the same organization that controls the Root key, what is the proper definition for this Certificate? Is it a Subordinate CA Certificate, an Intermediate CA Certificate or is it called something different?
>>> I had several discussions with people involved in other CAs and there seems to be some confusion with this term (intermediateCA/subordinateCA) which is why I believe it would be nice to add a definition for "Intermediate CA Certificates" or "Intermediate CAs" in section 1.6.1 of the BR. This ambiguity is also noted in a wikipedia definition of "intermediate certificate authorities" <https://en.wikipedia.org/wiki/Intermediate_certificate_authorities>. I made an attempt to write a definition hoping to clarify this issue.
>>> "Intermediate CA Certificate: A Certificate issued by a Root Certificate or another Intermediate CA Certificate which is deemed as capable of being used to issue new certificates and which contains an X.509v3 basicConstraints extension, with the cA boolean set to true. If an Intermediate CA Certificate is issued to a non-affiliated organization, then this Intermediate CA Certificate is also referred to as an Intermediate CA Certificate of a Subordinate CA".
>>> 
>>> I would appreciate any feedback/comments regarding this issue.
>>> 
>>> All the best,
>>> Dimitris Zacharopoulos.
>>> _______________________________________________
>>> Policyreview mailing list
>>> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
>>> https://cabforum.org/mailman/listinfo/policyreview <https://cabforum.org/mailman/listinfo/policyreview>
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160220/4b2ac34b/attachment-0001.html

More information about the Policyreview mailing list