[cabfpub] Intermediate certificate names
rob.stradling at comodo.com
Tue Mar 10 21:24:19 UTC 2015
What does it actually mean to "hold" a private key?
"a person who holds or owns something"
If Bozo, Inc owns a private key but DigiCert controls it, who is the CA?
Arguably both Bozo and DigiCert are holders of that private key. One
holds it, the other owns it.
Maybe either or both of them are the CA!
On 10/03/15 21:10, Geoff Keating wrote:
>> On 10 Mar 2015, at 1:27 pm, Erwann Abalea <erwann.abalea at opentrust.com> wrote:
>> Le 10/03/2015 07:31, Geoff Keating a écrit :
>>>> On 9 Mar 2015, at 10:01 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>>>> One of the discussions going on includes how CAs should name intermediates. Right now, the BRs say that the org field of the issuer “MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain a generic designation such as “Root” or “CA1”.” There is a similar requirement for the CN field.
>>>> We’ve heard that some auditors are interpreting this as a requirement that the CA must be named in each intermediate.
>>> Perhaps you could make the common name something like "DigiCert issuing for Customer Name, Inc." or similar? That'd help to clarify what the relationship is and what this certificate is for.
>> What if "Bozo, Inc" wants its CA certificate to be issued by DigiCert
>> *and* Comodo?
>> The relationship between an issuer CA and an issued CA is already
>> established by the "issuer" and "subject" fields of a certificate.
> The example above is for when DigiCert is actually holding the private key and performing CA functions, through a company-specific intermediate. If the company holds the private key and issues its own certificates, it is the CA and it should be the one named in the certificate.
> Public mailing list
> Public at cabforum.org
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
COMODO CA Limited, Registered in England No. 04058690
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public