[cabfpub] Intermediate certificate names

Gervase Markham gerv at mozilla.org
Tue Mar 10 17:20:42 UTC 2015

On 10/03/15 09:56, Eddy Nigg wrote:
> When we issue a certificate to an end-user we correctly identify that
> entity (in the verified settings). If we issue an intermediate CA to an
> external entity why should this be any different? We should identify the
> entity we validated and for whom we issued the intermediate CA
> certificate (even if that entity doesn't control the private key, e.g. a
> manged and controlled solution by the parent CA).

That "even" is the key question. The counter argument is that if you
still have the private key, you haven't issued a certificate to that
organization. You've created one which has their name in, but that's not
the same thing at all.


More information about the Public mailing list