[cabfpub] [CABFORUM] Re: Intermediate certificate names

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 10 17:17:25 UTC 2015

The classification can be more complicated, depending on how you slice it and what you want to know from the intermediate.

1)     Where the Sub CA performs all the validation and issues the cert but the private key is hosted by another CA

2)     Where the Sub CA hosts the keys and controls issuance

3)     Where the Sub CA hosts the keys but all services related to issuance and compliance are performed by another CA

4)     Where the Sub CA has the right to host the keys, but is currently leasing space/equipment from another CA

5)     Where the Sub CA performs all of the validation except domain validation and uses another CA (who hosts the private key) to do the domain validation

6)     Etc

There are about as many shades of variation as there are Sub CAs.

As a starting point, I think we need a consensus on what we want the intermediate to convey. Suggestions:

1)      Who controls the private key

2)      Who owns the private key

3)      Who performs the validation

4)      Who operates the relevant CPS

5)      Which is the audited entity

6)      Which entity is using the intermediate for certificates

7)      More?


From: Eddy Nigg [mailto:eddy_nigg at startcom.org]
Sent: Tuesday, March 10, 2015 11:08 AM
To: Peter Bowen; Ryan Sleevi
Cc: Jeremy Rowley; public at cabforum.org
Subject: Re: [CABFORUM] Re: [cabfpub] Intermediate certificate names

On 03/10/2015 06:59 PM, Peter Bowen wrote:
How do you define "the real CA"?

When speaking about intermediate CAs I believe there are two external types. Those that are fully controlled by the CA holding the private key and those that are managed and controlled by the parent CA not holding the private key.

However in both scenarios the intermediate CA is designed to be used for an by a particular entity for whatever purpose the parent CA agreed to. The difference is the way each type is audited and disclosed (Mozilla).

The third type is the intermediate CA that is controlled and used by the parent CA internally and directly.


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/ba1e416e/attachment-0003.html>

More information about the Public mailing list