[cabfpub] BR Issue 7
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Tue Nov 6 18:18:52 UTC 2012
On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling
<rob.stradling at comodo.com> wrote:
> However, I'm afraid we can't accept the AIA->caIssuers changes in
> Yngve's motion for the following reasons:
>
> 1. As written...
> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
> be downloaded"
> ...Yngve's motion outlaws Subordinate CA Certificates issued directly by
> Root Certificates which have not been cross-certified!
That is not the intention.
The intention is that if a Sub-ordinate CA certificate was NOT issued by a
Root, *then* it must have an AIA URL so that the client can (try to) trace
the chain of the certificate to a Root certificate that it recognizes.
This is means that for EE->CA1->CA2->CA3->Root , then EE, CA1, and CA2
have to contain an AIA URL, CA3 does not need it, and if it does it should
not be to a file with the Root certificate.
Perhaps the confusion can be avoided by specifically saying "a
Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the
problem?
> IMHO...
> i. issuance of such Subordinate CA Certificates should be permitted!
> and
> ii. such Subordinate CA Certificates should omit AIA->caIssuers.
>
> 2. "it MUST contain" is unnecessarily restrictive. I'm interpreting "it
> MUST contain" to mean "it MUST contain precisely <this> and nothing
> else".
> Comodo often includes >1 caIssuers HTTP URLs, but my interpretation of
> this motion is that it requires us to include precisely 1 HTTP URL.
>
> 3. We simply don't think that CAs should be forced to include caIssuers
> URLs if they don't want to include them.
>
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 96 90 41 51 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list