[cabfcert_policy] CA vs. CAO

Peter Bowen pzb at amzn.com
Tue Nov 22 12:08:52 MST 2016 

I agree that nobody wants to go over every document and replace “CA” with “CAO” and I don’t think that is necessary.  Ben ran into a challenge on the last call which he can discuss, but I have run into a somewhat larger challenge when it comes to defining “CA” as the legal entity.

Many entities that control CA private keys control different keys that are part of different PKIs.  For example they may have one set of CA keys that are for BR compliant CA, one set that are for CAs that follow the Four Bridges Forum standards, and another set that are for private Enterprise PKIs that each follow standards for a specific enterprise case.  If we define “CA” to mean the operator, then things get very confusing because the the operator may be following different requirements for issuing very similar certificates depending on the PKI.

I suggest that we define a Certification Authority to be a distinct entity that itself has agency and is owned or operated by a CAO.  A CA is best thought of as logically equivalent to a department or division within an organization.  So if you can say “the IT department must ensure that all computers have asset tags” you can say “the CA must ensure that all domain names end in a public top-level domain”.  This preserves that status quo that each CA is a distinct asset that can be bought and sold and a CAO/TSP may sell a some CAs while retaining others.  

By giving the CA agency, most the CA references in the BRs do not need changing and things like “Root CA” may make sense without any changes at all.    For example, see the sentence fragment in section 6.1.1.1:

"For Root CA Key Pairs created after the Effective Date that are either (i) used as Root CA Key Pairs or (ii) Key Pairs generated for a subordinate CA that is not the operator of the Root CA or an Affiliate of the Root CA, the CA SHALL”

This can be changed to:

"Fort CA Key Pairs created after the Effective Date that are either (i) used as Root CA Key Pairs or (ii) for a subordinate CA that is not operated by CAO of the Issuing CA or an Affiliate thereof, the CA SHALL”

I think there are probably few places where we only mean the operator of the CA.

Thanks,
Peter


> On Nov 21, 2016, at 1:11 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr> wrote:
> 
> 
> First of all, sorry I missed the last call. This topic was discussed in previous F2F meetings and on several occasions. I believe that nobody wants to go over changing every document that has the term "CA" and change it to "CAO". If we are to do such a big change, I would vote to use the term "Trust Service Provider - TSP" in order to align with the European model.
> 
> The majority of the CAs and auditors have linked the term "CA" with an "organization". That's why it was agreed (on past meetings) that we will not try to change the meaning of the term "CA" to mean anything else but that of an organization. Instead, we would try to use this term consistently (to refer to an organization) and introduce changes to the other instances to mean something else. That would introduce fewer changes in the BRs and EV guidelines.
> 
> 
> Dimitris.
> 
> On 21/11/2016 10:47 μμ, Ben Wilson wrote:
>> On our most recent call, Peter Bowen and I again discussed use of “CA” vs. something else.  (Back on May 5th I sent out a proposed “straw poll” to this group, but I don’t think I ever sent it to the public list.)  Peter and I like the term “CA Operator” or abbreviated, “CAO”.  The only downside, which is a big one – I’ll admit, is that  the term “CA” seems to  be used pervasively within the Forum and elsewhere to refer to  the entity that  operates a CA.  
>> Following our last call, I started to do a replacement of CA with CAO to see how it would look/work, but I stopped because there would be many instances to replace and I wanted to get more of a consensus from  this group and potentially the public list.
>> Thoughts?
>> Ben
>> 
>> 
>> _______________________________________________
>> Policyreview mailing list
>> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
>> https://cabforum.org/mailman/listinfo/policyreview <https://cabforum.org/mailman/listinfo/policyreview>
> 
> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
> https://cabforum.org/mailman/listinfo/policyreview <https://cabforum.org/mailman/listinfo/policyreview>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20161122/4d4bd993/attachment-0001.html>

More information about the Policyreview mailing list