[cabfpub] Are test certificates subscriber certificates?

Peter Bowen pzb at amzn.com
Sat Feb 6 01:36:08 UTC 2016

I’ve recently run into some confusion over the definition of Subscriber Certificate.

If a certificate signed by a CA includes the id-kp-serverAuth key purposes in the extended key usage extension but has subject identity information that identifies the CA itself and only contains domain names that fall under domains registered to the CA, is the certificate a Subscriber Certificate?

One view is that yes, it is.  This is supported by section 2.2 of the BRs (and Appendix A of the EVGs) which says:

"The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate.  At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.”

It specifically calls out that the CA is hosting and that these must be Subscriber Certificates.

The other view is no, it is not.  This is supported by the 9.6.1 which says:

"That, if the CA and Subscriber are not Affiliated, the Subscriber and CA are parties to a legally valid and enforceable Subscriber Agreement that satisfies these Requirements, or, if the CA and Subscriber are Affiliated, the Applicant Representative acknowledged and accepted the Terms of Use”

Terms of Use is defined as "Provisions regarding the safekeeping and acceptable uses of a Certificate issued in accordance with these Requirements when the Applicant/Subscriber is an Affiliate of the CA”

The argument is that it does not make sense that these should be considered Subscriber Certificates when viewed from an information vetting perspective and that the CA cannot execute terms or an agreement with itself.

I thought the answer was obvious, but I have come to learn that there is disagreement.  Any opinions?


More information about the Public mailing list