[cabfpub] BR Issue 7
rob.stradling at comodo.com
Wed Nov 7 08:24:50 UTC 2012
On 06/11/12 18:18, Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> On Tue, 06 Nov 2012 17:08:12 +0100, Rob Stradling
> <rob.stradling at comodo.com> wrote:
>> However, I'm afraid we can't accept the AIA->caIssuers changes in
>> Yngve's motion for the following reasons:
>> 1. As written...
>> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
>> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
>> be downloaded"
>> ...Yngve's motion outlaws Subordinate CA Certificates issued directly
>> by Root Certificates which have not been cross-certified!
> That is not the intention.
Thanks Yngve. I thought it was unlikely to have been your intention.
> The intention is that if a Sub-ordinate CA certificate was NOT issued by
> a Root, *then* it must have an AIA URL so that the client can (try to)
> trace the chain of the certificate to a Root certificate that it
> This is means that for EE->CA1->CA2->CA3->Root , then EE, CA1, and CA2
> have to contain an AIA URL, CA3 does not need it, and if it does it
> should not be to a file with the Root certificate.
> Perhaps the confusion can be avoided by specifically saying "a
> Sub-Ordinate CA certificate issued by a SubOrdinate CA" would fix the
You could tidy up the language so that it expresses what you intended to
express, but from the discussion so far it looks like the majority of
votes for a "MUST include AIA->caIssuers" motion would be "No".
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public