[cabfpub] Are test certificates subscriber certificates?
pzb at amzn.com
Sat Feb 6 01:36:08 UTC 2016
I’ve recently run into some confusion over the definition of Subscriber Certificate.
If a certificate signed by a CA includes the id-kp-serverAuth key purposes in the extended key usage extension but has subject identity information that identifies the CA itself and only contains domain names that fall under domains registered to the CA, is the certificate a Subscriber Certificate?
One view is that yes, it is. This is supported by section 2.2 of the BRs (and Appendix A of the EVGs) which says:
"The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.”
It specifically calls out that the CA is hosting and that these must be Subscriber Certificates.
The other view is no, it is not. This is supported by the 9.6.1 which says:
The argument is that it does not make sense that these should be considered Subscriber Certificates when viewed from an information vetting perspective and that the CA cannot execute terms or an agreement with itself.
I thought the answer was obvious, but I have come to learn that there is disagreement. Any opinions?
More information about the Public