[cabfpub] BR Issue 7

Ryan Hurst ryan.hurst at globalsign.com
Wed Nov 7 17:45:12 UTC 2012

True, however today there is no reliable way for a relying party to
determine what is the most authoritative version of a certificate and
inclusion addresses this problem.

I agree (as per before) that there is not a case for mandating it for this
scenario but since we can't have the requirement be more than SHOULD for
issuing CAs also and that it provides value in the case of the root I see no
reason to make the text accommodate each case separately.


-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com] 
Sent: Wednesday, November 07, 2012 12:14 AM
To: Ryan Hurst
Cc: 'Paul Tiemann'; 'Yngve N. Pettersen (Developer Opera Software ASA)';
public at cabforum.org
Subject: Re: [cabfpub] BR Issue 7

On 06/11/12 19:20, Ryan Hurst wrote:
> There is even value in the root issued intermediates as there are 
> often updated versions of roots published, inclusion of the pointer in 
> root issued intermediates makes it possible for the most recent 
> version of the certificate to always be discoverable.

That's true, Ryan, but I don't see why it's needed.

Making a more recent "version" of a Root Certificate discoverable does not
mean that it magically becomes trusted by clients.  Clients will only trust
the new "version" once it has been added to their Trusted Root Certificate
list - an event which negates any need for discovery. 
(You can't add a Root Certificate to a trust list if you haven't discovered
it yet!)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list