[cabfpub] [CABFORUM] Re: Intermediate certificate names

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 10 16:22:03 MST 2015 

Thanks Peter.  This is even more evidence that this section needs a revamp.

-----Original Message-----
From: Peter Bowen [mailto:pzbowen at gmail.com] 
Sent: Tuesday, March 10, 2015 5:01 PM
To: Jeremy Rowley; Ryan Sleevi
Cc: Geoff Keating; public at cabforum.org
Subject: [CABFORUM] Re: [cabfpub] Intermediate certificate names

See https://bugzilla.cabforum.org/show_bug.cgi?id=17 for an impact of this.  The rules for subject and issuer are incompatible, which effectively means that domain component (DC) cannot be used in CA certificates.

On Tue, Mar 10, 2015 at 3:35 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> To clarify, current Section 9.1.1 talks only about the issuer fields.  To support name chaining under RFC 5280, these fields must contain the same information as found in the subject of the issuing cert.  This is not clear in the language.
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> On Behalf Of Jeremy Rowley
> Sent: Tuesday, March 10, 2015 4:24 PM
> To: Geoff Keating
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Intermediate certificate names
>
> That could be three different entities.
>
> However, we realized during the discussion that the section actually mixes two issues: 1) information in the subject of the issuing cert and 2) information in the issuer field of an end-entity cert. To clarify, we're going to need to separate out the two issues.
>
> -----Original Message-----
> From: Geoff Keating [mailto:geoffk at apple.com]
> Sent: Tuesday, March 10, 2015 3:39 PM
> To: Jeremy Rowley
> Cc: Rob Stradling; Erwann Abalea; public at cabforum.org
> Subject: Re: [cabfpub] Intermediate certificate names
>
> I was speaking loosely.  The actual definition from the BRs is that the CA is "An organization that is responsible for the creation, issuance, revocation, and management of Certificates."
>
>> On 10 Mar 2015, at 2:27 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>>
>> Here's a realistic scenario that I think demonstrates a lot of the complication:
>> 1) CA1 signs a cert for CA2 (cross-sign)
>> 2) CA3 hosts the infrastructure for CA2 (hosting)
>> 3) RA1 does all the validation and approves issuance of the cert.
>>
>> What is the name of the intermediate and who controls the private key?
>
> So, in this case, the organization that is *responsible* is probably CA2.  They oversee RA1, they have a contract with CA3.  CA1 probably won't want to be responsible for CA2's operations.  CA3 will say "we're just hosting, we have no liability for anything".
>
> You can do this backwards, by saying that the organization named in the certificate is the CA and therefore is responsible; so, the real question is, as the CA issuing the intermediate, who do you trust to be responsible?
>
>> -----Original Message-----
>> From: public-bounces at cabforum.org 
>> [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
>> Sent: Tuesday, March 10, 2015 3:24 PM
>> To: Geoff Keating; Erwann Abalea
>> Cc: public at cabforum.org
>> Subject: Re: [cabfpub] Intermediate certificate names
>>
>> What does it actually mean to "hold" a private key?
>>
>> http://www.merriam-webster.com/dictionary/holder says:
>> "a person who holds or owns something"
>>
>> If Bozo, Inc owns a private key but DigiCert controls it, who is the CA?
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list