[cabfpub] BR Issue 7

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Tue Nov 6 18:18:52 UTC 2012

On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling  
<rob.stradling at comodo.com> wrote:

> However, I'm afraid we can't accept the AIA->caIssuers changes in  
> Yngve's motion for the following reasons:
> 1. As written...
> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the  
> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can  
> be downloaded"
> ...Yngve's motion outlaws Subordinate CA Certificates issued directly by  
> Root Certificates which have not been cross-certified!

That is not the intention.

The intention is that if a Sub-ordinate CA certificate was NOT issued by a  
Root, *then* it must have an AIA URL so that the client can (try to) trace  
the chain of the certificate to a Root certificate that it recognizes.

This is means that for EE->CA1->CA2->CA3->Root , then EE, CA1, and CA2  
have to contain an AIA URL, CA3 does not need it, and if it does it should  
not be to a file with the Root certificate.

Perhaps the confusion can be avoided by specifically saying "a  
Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the  

> IMHO...
> i. issuance of such Subordinate CA Certificates should be permitted!
> and
> ii. such Subordinate CA Certificates should omit AIA->caIssuers.
> 2. "it MUST contain" is unnecessarily restrictive.  I'm interpreting "it  
> MUST contain" to mean "it MUST contain precisely <this> and nothing  
> else".
> Comodo often includes >1 caIssuers HTTP URLs, but my interpretation of  
> this motion is that it requires us to include precisely 1 HTTP URL.
> 3. We simply don't think that CAs should be forced to include caIssuers  
> URLs if they don't want to include them.

Yngve N. Pettersen
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01

More information about the Public mailing list