[cabfpub] Intermediate certificate names

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 10 21:27:32 UTC 2015

Here's a realistic scenario that I think demonstrates a lot of the complication:
1) CA1 signs a cert for CA2 (cross-sign)
2) CA3 hosts the infrastructure for CA2 (hosting)
3) RA1 does all the validation and approves issuance of the cert.

What is the name of the intermediate and who controls the private key? 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: Tuesday, March 10, 2015 3:24 PM
To: Geoff Keating; Erwann Abalea
Cc: public at cabforum.org
Subject: Re: [cabfpub] Intermediate certificate names

What does it actually mean to "hold" a private key?

http://www.merriam-webster.com/dictionary/holder says:
"a person who holds or owns something"

If Bozo, Inc owns a private key but DigiCert controls it, who is the CA?

Arguably both Bozo and DigiCert are holders of that private key.  One holds it, the other owns it.

Maybe either or both of them are the CA!

On 10/03/15 21:10, Geoff Keating wrote:
>> On 10 Mar 2015, at 1:27 pm, Erwann Abalea <erwann.abalea at opentrust.com> wrote:
>> Bonsoir,
>> Le 10/03/2015 07:31, Geoff Keating a écrit :
>>>> On 9 Mar 2015, at 10:01 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>>>> One of the discussions going on includes how CAs should name intermediates.  Right now, the BRs say that the org field of the issuer "MUST contain the name (or abbreviation thereof), trademark, or other meaningful identifier for the CA, provided that they accurately identify the CA. The field MUST NOT contain a generic designation such as "Root" or "CA1"." There is a similar requirement for the CN field.
>>>> We've heard that some auditors are interpreting this as a requirement that the CA must be named in each intermediate.
>>>> Thoughts?
>>> Perhaps you could make the common name something like "DigiCert issuing for Customer Name, Inc." or similar?  That'd help to clarify what the relationship is and what this certificate is for.
>> What if "Bozo, Inc" wants its CA certificate to be issued by DigiCert
>> *and* Comodo?
>> The relationship between an issuer CA and an issued CA is already 
>> established by the "issuer" and "subject" fields of a certificate.
> The example above is for when DigiCert is actually holding the private key and performing CA functions, through a company-specific intermediate.  If the company holds the private key and issues its own certificates, it is the CA and it should be the one named in the certificate.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690 Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
Public mailing list
Public at cabforum.org

More information about the Public mailing list