[cabfpub] Intermediate certificate names
sleevi at google.com
Tue Mar 10 06:43:21 UTC 2015
Reposting for Peter
On Mar 9, 2015 11:41 PM, "Peter Bowen" <pzbowen at gmail.com> wrote:
> On Mon, Mar 9, 2015 at 10:01 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
> > One of the discussions going on includes how CAs should name
> > Right now, the BRs say that the org field of the issuer “MUST contain the
> > name (or abbreviation thereof), trademark, or other meaningful identifier
> > for the CA, provided that they accurately identify the CA. The field MUST
> > NOT contain a generic designation such as “Root” or “CA1”.” There is a
> > similar requirement for the CN field.
> As the BRs are worded currently, this applies to both Root and
> Intermediate CAs, they are both included in the definition of "Issuing
> > We’ve heard that some auditors are interpreting this as a requirement
> > the CA must be named in each intermediate. I disagree as calling each of
> > our Intermediates DigiCert Intermediate 1 CA, DigiCert Intermediate 2 CA,
> > etc. is less useful than specifying their intended purpose or intended
> > beneficiary. I think the word “accurately identify the CA” leaves a
> > about whether you identifying the holder of the private key or the entity
> > authorized to approve issuance from the intermediate (such as a separate
> > CA).
> Yes, my reading of the BRs is that the minimal name for a compliant CA is:
> ((Country, "XX"), (Organization, "Example"), (Common Name, "Example CA"))
> This is based on sections 9.1.1, 9.1.3, and 9.1.4 all being required.
> While this seems redundant, it makes sense when you look at how
> browsers display issuer information. Try visiting
> https://www.keypost.ch/ and https://learnable.com to in various
> browsers (the former being non-EV and the latter is EV).
> IE: Shows the "Friendly Name" of the root CA
> Firefox: Shows Issuer Organization attribute
> Chrome: Shows Issuer Common Name
> > One suggestion that someone made is to include a marker in the cert that
> > basically says “the holder of the private key is not the subject of the
> > but is the issuer”. This would have the added benefit of clearing up how
> > many CAs are actually out there.
> RFC 3647 mentions both "Certificate Manufacturing Authorities" and
> "Repository Service Providers", which are different from certification
> authorities. I've also seen Certification Status Authority (runs the
> OCSP responders) broken out in some CPs and CPSes.
> If one accepts that the CA, CMA, and RSP may all be different
> entities, then it would
> seem that the CA CA is the entity that is audited and has a CPS and
> contracts with the others for services. In the example you mentioned,
> the holder of the private key would be the CMA, and the subject of the
> cert would be the CA.
> Where do these relationships need to be disclosed? Good question. As
> it stands today, I think it only requires disclosure to the parties
> and to the auditors. No public disclosure is required as long as the
> CA says they are taking overall responsibility for certificates issued
> in their name. In that case the Issuer should reasonably be the CA,
> even if they don't have physical possession of the private key.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public