[cabfpub] Intermediate certificate names

Ryan Sleevi sleevi at google.com
Tue Mar 10 06:43:21 UTC 2015


Reposting for Peter
On Mar 9, 2015 11:41 PM, "Peter Bowen" <pzbowen at gmail.com> wrote:

> On Mon, Mar 9, 2015 at 10:01 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
> > One of the discussions going on includes how CAs should name
> intermediates.
> > Right now, the BRs say that the org field of the issuer “MUST contain the
> > name (or abbreviation thereof), trademark, or other meaningful identifier
> > for the CA, provided that they accurately identify the CA. The field MUST
> > NOT contain a generic designation such as “Root” or “CA1”.” There is a
> > similar requirement for the CN field.
>
> As the BRs are worded currently, this applies to both Root and
> Intermediate CAs, they are both included in the definition of "Issuing
> CA".
>
> > We’ve heard that some auditors are interpreting this as a requirement
> that
> > the CA must be named in each intermediate.  I disagree as calling each of
> > our Intermediates DigiCert Intermediate 1 CA, DigiCert Intermediate 2 CA,
> > etc. is less useful than specifying their intended purpose or intended
> > beneficiary. I think the word “accurately identify the CA” leaves a
> question
> > about whether you identifying the holder of the private key or the entity
> > authorized to approve issuance from the intermediate (such as a separate
> Sub
> > CA).
>
>  Yes, my reading of the BRs is that the minimal name for a compliant CA is:
> ((Country, "XX"), (Organization, "Example"), (Common Name, "Example CA"))
>
> This is based on sections 9.1.1, 9.1.3, and 9.1.4 all being required.
>
> While this seems redundant, it makes sense when you look at how
> browsers display issuer information.  Try visiting
> https://www.keypost.ch/ and https://learnable.com to in various
> browsers (the former being non-EV and the latter is EV).
>
> IE: Shows the "Friendly Name" of the root CA
> Firefox: Shows Issuer Organization attribute
> Chrome: Shows Issuer Common Name
>
> > One suggestion that someone made is to include a marker in the cert that
> > basically says “the holder of the private key is not the subject of the
> cert
> > but is the issuer”.  This would have the added benefit of clearing up how
> > many CAs are actually out there.
>
> RFC 3647 mentions both "Certificate Manufacturing Authorities" and
> "Repository Service Providers", which are different from certification
> authorities.  I've also seen Certification Status Authority (runs the
> OCSP responders) broken out in some CPs and CPSes.
>
> If one accepts that the CA, CMA, and RSP may all be different
> entities, then it would
> seem that the CA CA is the entity that is audited and has a CPS and
> contracts with the others for services.  In the example you mentioned,
> the holder of the private key would be the CMA, and the subject of the
> cert would be the CA.
>
> Where do these relationships need to be disclosed?  Good question.  As
> it stands today, I think it only requires disclosure to the parties
> and to the auditors.  No public disclosure is required as long as the
> CA says they are taking overall responsibility for certificates issued
> in their name.  In that case the Issuer should reasonably be the CA,
> even if they don't have physical possession of the private key.
>
> Thanks,
> Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150309/91e986c0/attachment-0003.html>


More information about the Public mailing list