[cabfcert_policy] CA vs. CA draft proposal

[Peter Bowen]

New Definitions:

Certificate Issuer (CI): An issuer of Certificates defined by a distinct Distinguished Name and Public Key

CI Certificate: A Certificate for which any of the following are true:
- A Basic Constraints extension is present and the cA component is set to TRUE
- A Key Usage extension is present and the keyCertSign bit is set

CI Key Pair: A Key Pair which has its Public Key included in a CI Certificate

Cross-Certificate: A CI certificate which is not a Self-Issued CI Certificate

End-entity Certificate: A Certificate which is not a CI Certificate

Root CI: A CI which is distributed by Application Software Suppliers as a trust anchor

Root CI Key Pair: A CI Key Pair which has its Public Key included in a Root Certificate

Root CI Certificate:  A CI Certificate which contains the Public Key from a Root CI Key Pair

Self-Issued CI Certificate: A CI Certificate where the subject and issuer Distinguished Names match

Technically Constrained CI Certificate: A CI certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which CI may issue Subscriber or additional CI Certificates.

Modifications:

In section 3.1.5, insert the following text:

Each CI Public Key MUST be associated with a single distinct Distinguished Name.  Each CI Distinguished Name MUST be associated with a single unique Public Key.

In section 4.3.1, append the following text:

A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.

<more to change CA to CI where appropriate>