[cabfpub] BR Issue 7

Rob Stradling rob.stradling at comodo.com
Wed Nov 7 08:24:50 UTC 2012

On 06/11/12 18:18, Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling
> <rob.stradling at comodo.com> wrote:
>> However, I'm afraid we can't accept the AIA->caIssuers changes in
>> Yngve's motion for the following reasons:
>> 1. As written...
>> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
>> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
>> be downloaded"
>> ...Yngve's motion outlaws Subordinate CA Certificates issued directly
>> by Root Certificates which have not been cross-certified!
> That is not the intention.

Thanks Yngve.  I thought it was unlikely to have been your intention.

> The intention is that if a Sub-ordinate CA certificate was NOT issued by
> a Root, *then* it must have an AIA URL so that the client can (try to)
> trace the chain of the certificate to a Root certificate that it
> recognizes.
> This is means that for EE->CA1->CA2->CA3->Root , then EE, CA1, and CA2
> have to contain an AIA URL, CA3 does not need it, and if it does it
> should not be to a file with the Root certificate.
> Perhaps the confusion can be avoided by specifically saying "a
> Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the
> problem?

You could tidy up the language so that it expresses what you intended to 
express, but from the discussion so far it looks like the majority of 
votes for a "MUST include AIA->caIssuers" motion would be "No".

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list