[cabfpub] Intermediate certificate names
Geoff Keating
geoffk at apple.com
Tue Mar 10 14:10:00 MST 2015
> On 10 Mar 2015, at 1:27 pm, Erwann Abalea <erwann.abalea at opentrust.com> wrote:
>
> Bonsoir,
>
> Le 10/03/2015 07:31, Geoff Keating a écrit :
>>> On 9 Mar 2015, at 10:01 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>>>
>>> One of the discussions going on includes how CAs should name intermediates. Right now, the BRs say that the org field of the issuer “MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain a generic designation such as “Root” or “CA1”.” There is a similar requirement for the CN field.
>>>
>>> We’ve heard that some auditors are interpreting this as a requirement that the CA must be named in each intermediate.
>>>
>>> Thoughts?
>>>
>> Perhaps you could make the common name something like "DigiCert issuing for Customer Name, Inc." or similar? That'd help to clarify what the relationship is and what this certificate is for.
>
> What if "Bozo, Inc" wants its CA certificate to be issued by DigiCert
> *and* Comodo?
>
> The relationship between an issuer CA and an issued CA is already
> established by the "issuer" and "subject" fields of a certificate.
The example above is for when DigiCert is actually holding the private key and performing CA functions, through a company-specific intermediate. If the company holds the private key and issues its own certificates, it is the CA and it should be the one named in the certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150310/77945b87/attachment.bin
More information about the Public
mailing list