[cabfpub] Intermediate certificate names

Geoff Keating geoffk at apple.com
Tue Mar 10 06:31:52 UTC 2015


> 
> On 9 Mar 2015, at 10:01 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> One of the discussions going on includes how CAs should name intermediates.  Right now, the BRs say that the org field of the issuer “MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain a generic designation such as “Root” or “CA1”.” There is a similar requirement for the CN field. 
>  
> We’ve heard that some auditors are interpreting this as a requirement that the CA must be named in each intermediate.

> Thoughts?
> 

Perhaps you could make the common name something like "DigiCert issuing for Customer Name, Inc." or similar?  That'd help to clarify what the relationship is and what this certificate is for.

If the organization actually has the private key, then they are the CA and they should be the one named.  The above would be for a case where you keep the private key and are "the CA" for BR purposes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150309/b5c53973/attachment-0001.p7s>


More information about the Public mailing list