[cabfpub] Intermediate certificate names

Richard Wang richard at wosign.com
Tue Mar 10 05:24:31 UTC 2015

I agree either add a word to identify the real owner of the issuing CA
private key or add a special OID to identify this. Maybe a special OID is
easy and easy for acceptance of customer.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Monday, March 9, 2015 10:02 PM
Subject: [cabfpub] Intermediate certificate names


One of the discussions going on includes how CAs should name intermediates.
Right now, the BRs say that the org field of the issuer "MUST contain the
name (or abbreviation thereof), trademark, or other meaningful identifier
for the CA, provided that they accurately identify the CA. The field MUST
NOT contain a generic designation such as "Root" or "CA1"." There is a
similar requirement for the CN field.  


We've heard that some auditors are interpreting this as a requirement that
the CA must be named in each intermediate.  I disagree as calling each of
our Intermediates DigiCert Intermediate 1 CA, DigiCert Intermediate 2 CA,
etc. is less useful than specifying their intended purpose or intended
beneficiary. I think the word "accurately identify the CA" leaves a question
about whether you identifying the holder of the private key or the entity
authorized to approve issuance from the intermediate (such as a separate Sub


One suggestion that someone made is to include a marker in the cert that
basically says "the holder of the private key is not the subject of the cert
but is the issuer".  This would have the added benefit of clearing up how
many CAs are actually out there.


Rob Stradling, of Comodo, suggested that new cert policy OID in the BRs
would be a good way to implement this. 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/36916673/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5099 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/36916673/attachment-0001.p7s>

More information about the Public mailing list