[cabfcert_policy] CA vs. CA draft proposal
Brown, Wendy (10421)
wendy.brown at protiviti.com
Thu Mar 24 08:16:30 MST 2016
I missed the policy call this morning based on it showing up on my calendar at the wrong time.
But I have a question on one of the suggestions below:
In section 4.3.1, append the following text:
A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.
I believe this is the definition of a self-signed certificate rather than a self-issued one.
A self-issued certificate may also include certificates issued when a CA does a key rollover and signs the new key with the old and vice-verse. In these self-issued certificates the Private Key used by the CA to sign the Certificates does NOT correspond to the Public Key in the same certificate.
Thanks,
Wendy
Wendy Brown
Protiviti Government Services
703-299-4705 (office) 703-965-2990 (cell)
wendy.brown at protiviti.com
-----Original Message-----
From: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Thursday, March 24, 2016 9:43 AM
To: policyreview at cabforum.org
Subject: [cabfcert_policy] CA vs. CA draft proposal
New Definitions:
Certificate Issuer (CI): An issuer of Certificates defined by a distinct Distinguished Name and Public Key
CI Certificate: A Certificate for which any of the following are true:
- A Basic Constraints extension is present and the cA component is set to TRUE
- A Key Usage extension is present and the keyCertSign bit is set
CI Key Pair: A Key Pair which has its Public Key included in a CI Certificate
Cross-Certificate: A CI certificate which is not a Self-Issued CI Certificate
End-entity Certificate: A Certificate which is not a CI Certificate
Root CI: A CI which is distributed by Application Software Suppliers as a trust anchor
Root CI Key Pair: A CI Key Pair which has its Public Key included in a Root Certificate
Root CI Certificate: A CI Certificate which contains the Public Key from a Root CI Key Pair
Self-Issued CI Certificate: A CI Certificate where the subject and issuer Distinguished Names match
Technically Constrained CI Certificate: A CI certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which CI may issue Subscriber or additional CI Certificates.
Modifications:
In section 3.1.5, insert the following text:
Each CI Public Key MUST be associated with a single distinct Distinguished Name. Each CI Distinguished Name MUST be associated with a single unique Public Key.
In section 4.3.1, append the following text:
A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.
<more to change CA to CI where appropriate> _______________________________________________
Policyreview mailing list
Policyreview at cabforum.org<mailto:Policyreview at cabforum.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_policyreview&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=gSpKiZiIdAJzxq9a88_HscBTw9cLkE8YDBEzaQxJHuk&s=JiNpdPG91ZZfD2LKBTN6J3Reniaqm3tdjimPSQfp4kU&e=
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160324/4eba4efa/attachment.html
More information about the Policyreview
mailing list