[cabfpub] Intermediate certificate names

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 10 17:09:23 UTC 2015

I think that's true for Root Certificates but including that CA information in each intermediate makes it confusing about who is operating the intermediate.

From: Jody Cloutier [mailto:jodycl at microsoft.com]
Sent: Tuesday, March 10, 2015 11:06 AM
To: Jeremy Rowley; Eddy Nigg; Geoff Keating
Subject: RE: [cabfpub] Intermediate certificate names

I would assert that the "real CA" is the CA that has ultimate legal responsibility for the issuance of the certificates. In Microsoft's case, we would define the "real CA" as the CA we have the contract with.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, March 10, 2015 10:01 AM
To: Eddy Nigg; Geoff Keating
Subject: Re: [cabfpub] Intermediate certificate names

>From Peter Bowen at Amazon:

How do you define "the real CA"?
Is it the company that manages the CPS, writes the management assertion, and is identified in the auditor's opinion letter?
Or is it the company who employs people to perform validation, create and sign certificates, and respond to status requests?


From: Eddy Nigg [mailto:eddy_nigg at startcom.org]
Sent: Tuesday, March 10, 2015 10:56 AM
To: Geoff Keating; Jeremy Rowley
Subject: Re: [cabfpub] Intermediate certificate names

On 03/10/2015 08:31 AM, Geoff Keating wrote:
Perhaps you could make the common name something like "DigiCert issuing for Customer Name, Inc." or similar?

I don't think this is a good idea - I believe the organization name should correctly identify the company to whom the certificate was issued.

When we issue a certificate to an end-user we correctly identify that entity (in the verified settings). If we issue an intermediate CA to an external entity why should this be any different? We should identify the entity we validated and for whom we issued the intermediate CA certificate (even if that entity doesn't control the private key, e.g. a manged and controlled solution by the parent CA).


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/21b11b23/attachment-0003.html>

More information about the Public mailing list