[cabfcert_policy] CA vs. CA draft proposal
Ben Wilson
ben.wilson at digicert.com
Thu Mar 24 07:43:25 MST 2016
After discussing this a bit, I'd prefer sticking to "CA" when using it as an
adjective. Also, I still think it might be better to replace "CA," when
talking about the entity, with either "CSP" or "CASP"--even if that means
making sweeping changes throughout the guideline documents.
-----Original Message-----
From: policyreview-bounces at cabforum.org
[mailto:policyreview-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, March 24, 2016 7:58 AM
To: Peter Bowen <pzb at amzn.com>; policyreview at cabforum.org
Subject: Re: [cabfcert_policy] CA vs. CA draft proposal
Thanks! Let's discuss today.
-----Original Message-----
From: policyreview-bounces at cabforum.org
[mailto:policyreview-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Thursday, March 24, 2016 7:43 AM
To: policyreview at cabforum.org
Subject: [cabfcert_policy] CA vs. CA draft proposal
New Definitions:
Certificate Issuer (CI): An issuer of Certificates defined by a distinct
Distinguished Name and Public Key
CI Certificate: A Certificate for which any of the following are true:
- A Basic Constraints extension is present and the cA component is set to
TRUE
- A Key Usage extension is present and the keyCertSign bit is set
CI Key Pair: A Key Pair which has its Public Key included in a CI
Certificate
Cross-Certificate: A CI certificate which is not a Self-Issued CI
Certificate
End-entity Certificate: A Certificate which is not a CI Certificate
Root CI: A CI which is distributed by Application Software Suppliers as a
trust anchor
Root CI Key Pair: A CI Key Pair which has its Public Key included in a Root
Certificate
Root CI Certificate: A CI Certificate which contains the Public Key from a
Root CI Key Pair
Self-Issued CI Certificate: A CI Certificate where the subject and issuer
Distinguished Names match
Technically Constrained CI Certificate: A CI certificate which uses a
combination of Extended Key Usage settings and Name Constraint settings to
limit the scope within which CI may issue Subscriber or additional CI
Certificates.
Modifications:
In section 3.1.5, insert the following text:
Each CI Public Key MUST be associated with a single distinct Distinguished
Name. Each CI Distinguished Name MUST be associated with a single unique
Public Key.
In section 4.3.1, append the following text:
A CA shall only issue a Self-Issued CI Certificate when the Private Key used
by the CA to sign the Certificate corresponds to the Public Key that is
certified within the Certificate.
<more to change CA to CI where appropriate>
_______________________________________________
Policyreview mailing list
Policyreview at cabforum.org
https://cabforum.org/mailman/listinfo/policyreview
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20160324/3575f6ca/attachment.bin
More information about the Policyreview
mailing list