[cabfpub] Terminology/Style question
Dimitris Zacharopoulos
jimmy at it.auth.gr
Tue Apr 4 17:11:24 UTC 2017
On 4/4/2017 5:20 μμ, Peter Bowen wrote:
>> By keeping exactly the same DN? Does this align with 4.1.2.6 of RFC
>> 5280 that require unique DNs under one Issuing CA (probably a Root CA
>> in this case)
>
> I’m not sure what part of 4.1.2.6 says this is not allowed. In fact
> it says: "A CA MAY issue more than one certificate with the same DN to
> the same subject entity.”
>
> Consider a situation where CAs are licensed by a central authority.
> A single legal entity may operate multiple CAs. This sort of
> requirement exists in other industries; for example the requirement in
> many US states that each restaurant kitchen be inspected and
> licensed even if a single company owns multiple kitchens. In the
> case of a licensed CA, it is clear that it is a specific subject
> entity. Therefore issuing more than multiple certificates with
> the same DN to that entity with different key pairs is fine.
>
It says exactly the following:
"The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field. A CA MAY issue more than one certificate with the same DN to the same subject entity."
I guess I was confused by the first sentence because having more than
one Certificate per subject entity per CA (as the Issuer) with the same
DN would break the uniqueness. I read it as uniqueness of DNs per CA
where you read it as uniqueness of a "subject entity" that can have the
same DN but multiple certificates with the same DN. Now I can understand
your interpretation.
>>>
>>> While not mentioned, two different Issuing CAs can have the same key
>>> pair.
>>
>> I don't remember reading any requirement that prevents this.
>>
>>>
>>> So, to answer your question: I would say those are both the same
>>> “Issuing CA”.
>>
>> If two CA Certificates have exactly the same DN as in the example
>> above, we agree that we are talking about the same "Issuing CA".
>> However, we need to understand if the re-key process of an Issuing CA
>> is in accordance with RFC 5280 since this is not a "self-issued
>> certificate" that 5280 explicitly allows for keeping the same DN.
>
> As long as it is the same subject entity, then you can re-key.
>
> Consider certificates issued with the subject DN: CN=*.google.com
> <http://google.com>, O=Google Inc, L=Mountain View, ST=California,
> C=US. crt.sh shows many many with this DN with different keys:
> https://crt.sh/?cn=*.google.com&dir=^&sort=2
> <https://crt.sh/?cn=*.google.com&dir=%5E&sort=2> There are millions
> more similar cases where the CA has “renewed” a certificate with a new
> key or "rekeyed" a certificate. Are you saying that CAs are somehow
> different from other entities?
No, I think your example makes it perfectly clear :)
Thank you,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170404/e3b16ba4/attachment-0003.html>
More information about the Public
mailing list