[cabfpub] Intermediate certificate names

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 10 05:01:59 UTC 2015

One of the discussions going on includes how CAs should name intermediates.  Right now, the BRs say that the org field of the issuer "MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain a generic designation such as "Root" or "CA1"." There is a similar requirement for the CN field.

We've heard that some auditors are interpreting this as a requirement that the CA must be named in each intermediate.  I disagree as calling each of our Intermediates DigiCert Intermediate 1 CA, DigiCert Intermediate 2 CA, etc. is less useful than specifying their intended purpose or intended beneficiary. I think the word "accurately identify the CA" leaves a question about whether you identifying the holder of the private key or the entity authorized to approve issuance from the intermediate (such as a separate Sub CA).

One suggestion that someone made is to include a marker in the cert that basically says "the holder of the private key is not the subject of the cert but is the issuer".  This would have the added benefit of clearing up how many CAs are actually out there.

Rob Stradling, of Comodo, suggested that new cert policy OID in the BRs would be a good way to implement this.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/6d8a36a1/attachment-0002.html>

More information about the Public mailing list