[cabfcert_policy] Section 9.3.4 of the EV Guidelines and Externally Operated Sub CAs

Ben Wilson ben.wilson at digicert.com
Thu Aug 3 10:54:22 MST 2017 

During today's Policy Review Working Group meeting, I compared EV 9.3.4 with
BR 7.1.6.3.  BR 7.1.6.3 was based on EV 9.3.4, and I think that EV 9.3.4
does a better job of expressing the intent.  I think we really messed things
up when we replaced "controlled by the Root CA" with "affiliate of the
Issuing CA".


9.3.4        EV Subordinate CA Certificates


(1)  Certificates issued to Subordinate CAs that are not controlled by the
issuing CA MUST contain one or more policy identifiers defined by the
issuing CA that explicitly identify the EV Policies that are implemented by
the Subordinate CA.

(2)  Certificates issued to Subordinate CAs that are controlled by the Root
CA MAY contain the special anyPolicy identifier (OID:  2.5.29.32.0).

For example, just to focus the  discussion, Section 7.1.6.3 of the BRs says
that the Sub CA Certificate issued to an "affiliate of the Issuing CA" MAY
contain the "anyPolicy" identifier (2.5.29.32.0) in place of an explicit
policy identifier.  This is not the same as in the EV Guidelines, which says
"controlled by the Root CA".  

 

Instead of defining "Internally Operated Subordinate CA" as "A Subordinate
CA Operator, operated by the Root CA Operator or its Affiliate, that is in
possession or control of the Private Key associated with the Subordinate CA
Certificate" (and then try to use that in BR 7.1.6.3), we should just amend
section 7.1.6.3 to be more like the  EV Guidelines and say something to the
effect, "A Subordinate CA Certificate for which the corresponding Private
Key is controlled by the Root CA MAY contain the special anyPolicy
identifier."

 

Thanks,

 

Ben

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20170803/5af70bc7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/policyreview/attachments/20170803/5af70bc7/attachment.p7s>

More information about the Policyreview mailing list