[cabfpub] BR Issue 7
Rob Stradling
rob.stradling at comodo.com
Wed Nov 7 08:24:50 UTC 2012
On 06/11/12 18:18, Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling
> <rob.stradling at comodo.com> wrote:
>
>> However, I'm afraid we can't accept the AIA->caIssuers changes in
>> Yngve's motion for the following reasons:
>>
>> 1. As written...
>> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
>> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
>> be downloaded"
>> ...Yngve's motion outlaws Subordinate CA Certificates issued directly
>> by Root Certificates which have not been cross-certified!
>
> That is not the intention.
Thanks Yngve. I thought it was unlikely to have been your intention.
> The intention is that if a Sub-ordinate CA certificate was NOT issued by
> a Root, *then* it must have an AIA URL so that the client can (try to)
> trace the chain of the certificate to a Root certificate that it
> recognizes.
>
> This is means that for EE->CA1->CA2->CA3->Root , then EE, CA1, and CA2
> have to contain an AIA URL, CA3 does not need it, and if it does it
> should not be to a file with the Root certificate.
>
> Perhaps the confusion can be avoided by specifically saying "a
> Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the
> problem?
You could tidy up the language so that it expresses what you intended to
express, but from the discussion so far it looks like the majority of
votes for a "MUST include AIA->caIssuers" motion would be "No".
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list