[cabfpub] BR Issue 7

Paul Tiemann paul.tiemann.usenet at gmail.com
Tue Nov 6 19:30:13 UTC 2012

On Nov 6, 2012, at 11:18 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote:

> On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling  
> <rob.stradling at comodo.com> wrote:
>> However, I'm afraid we can't accept the AIA->caIssuers changes in  
>> Yngve's motion for the following reasons:
>> 1. As written...
>> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the  
>> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can  
>> be downloaded"
>> ...Yngve's motion outlaws Subordinate CA Certificates issued directly by  
>> Root Certificates which have not been cross-certified!
> That is not the intention.
> The intention is that if a Sub-ordinate CA certificate was NOT issued by a  
> Root, *then* it must have an AIA URL so that the client can (try to) trace  
> the chain of the certificate to a Root certificate that it recognizes.

Ah - thanks Yngve, it looks like I missed your intention here earlier.  

In practice, I'd still love it to be a "SHOULD" and see AIA:caIssuer populated in EE and non-rooted sub CAs 99% of the time.  I can imagine certain big customers will want to push the performance envelope by keeping their certificate as small as possible, and for those cases I want the flexibility.

> Perhaps the confusion can be avoided by specifically saying "a  
> Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the  
> problem?

Yes, this may be good.  However, leaving it as "SHOULD" also solves the problem without needing the technical language.


More information about the Public mailing list