[cabfcert_policy] CA vs. CA draft proposal

Brown, Wendy (10421) wendy.brown at protiviti.com
Thu Mar 24 08:16:30 MST 2016 

I missed the policy call this morning based on it showing up on my calendar at the wrong time.

But I have a question on one  of the suggestions below:



In section 4.3.1, append the following text:



A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.



I believe this is the definition of a self-signed certificate rather than a self-issued one.

A self-issued certificate may also include certificates issued when a CA does a key rollover and signs the new key with the old and vice-verse.  In these self-issued certificates the Private Key used by the CA to sign the Certificates does NOT correspond to the Public Key in the same certificate.



Thanks,

   Wendy



Wendy Brown

Protiviti Government Services

703-299-4705 (office)    703-965-2990 (cell)



wendy.brown at protiviti.com









-----Original Message-----
From: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Thursday, March 24, 2016 9:43 AM
To: policyreview at cabforum.org
Subject: [cabfcert_policy] CA vs. CA draft proposal



New Definitions:



Certificate Issuer (CI): An issuer of Certificates defined by a distinct Distinguished Name and Public Key



CI Certificate: A Certificate for which any of the following are true:

- A Basic Constraints extension is present and the cA component is set to TRUE

- A Key Usage extension is present and the keyCertSign bit is set



CI Key Pair: A Key Pair which has its Public Key included in a CI Certificate



Cross-Certificate: A CI certificate which is not a Self-Issued CI Certificate



End-entity Certificate: A Certificate which is not a CI Certificate



Root CI: A CI which is distributed by Application Software Suppliers as a trust anchor



Root CI Key Pair: A CI Key Pair which has its Public Key included in a Root Certificate



Root CI Certificate:  A CI Certificate which contains the Public Key from a Root CI Key Pair



Self-Issued CI Certificate: A CI Certificate where the subject and issuer Distinguished Names match



Technically Constrained CI Certificate: A CI certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which CI may issue Subscriber or additional CI Certificates.



Modifications:



In section 3.1.5, insert the following text:



Each CI Public Key MUST be associated with a single distinct Distinguished Name.  Each CI Distinguished Name MUST be associated with a single unique Public Key.



In section 4.3.1, append the following text:



A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.



<more to change CA to CI where appropriate> _______________________________________________

Policyreview mailing list

Policyreview at cabforum.org<mailto:Policyreview at cabforum.org>

https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_policyreview&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=gSpKiZiIdAJzxq9a88_HscBTw9cLkE8YDBEzaQxJHuk&s=JiNpdPG91ZZfD2LKBTN6J3Reniaqm3tdjimPSQfp4kU&e=

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160324/4eba4efa/attachment.html

More information about the Policyreview mailing list