[cabfpub] Terminology/Style question

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Apr 4 17:11:24 UTC 2017

On 4/4/2017 5:20 μμ, Peter Bowen wrote:
>> By keeping exactly the same DN? Does this align with of RFC 
>> 5280 that require unique DNs under one Issuing CA (probably a Root CA 
>> in this case)
> I’m not sure what part of says this is not allowed.  In fact 
> it says: "A CA MAY issue more than one certificate with the same DN to 
> the same subject entity.”
> Consider a situation where CAs are licensed by a central authority. 
>  A single legal entity may operate multiple CAs.  This sort of 
> requirement exists in other industries; for example the requirement in 
> many US states that each restaurant kitchen be inspected and 
> licensed even if a single company owns multiple kitchens.  In the 
> case of a licensed CA, it is clear that it is a specific subject 
> entity.  Therefore issuing more than multiple certificates with 
> the same DN to that entity with different key pairs is fine.

It says exactly the following:

"The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field.  A CA MAY issue more than one certificate with the same DN to the same subject entity."

I guess I was confused by the first sentence because having more than 
one Certificate per subject entity per CA (as the Issuer) with the same 
DN would break the uniqueness. I read it as uniqueness of DNs per CA 
where you read it as uniqueness of a "subject entity" that can have the 
same DN but multiple certificates with the same DN. Now I can understand 
your interpretation.

>>> While not mentioned, two different Issuing CAs can have the same key 
>>> pair.
>> I don't remember reading any requirement that prevents this.
>>> So, to answer your question: I would say those are both the same 
>>> “Issuing CA”.
>> If two CA Certificates have exactly the same DN as in the example 
>> above, we agree that we are talking about the same "Issuing CA". 
>> However, we need to understand if the re-key process of an Issuing CA 
>> is in accordance with RFC 5280 since this is not a "self-issued 
>> certificate" that 5280 explicitly allows for keeping the same DN.
> As long as it is the same subject entity, then you can re-key.
> Consider certificates issued with the subject DN: CN=*.google.com 
> <http://google.com>, O=Google Inc, L=Mountain View, ST=California, 
> C=US.  crt.sh shows many many with this DN with different keys: 
> https://crt.sh/?cn=*.google.com&dir=^&sort=2 
> <https://crt.sh/?cn=*.google.com&dir=%5E&sort=2> There are millions 
> more similar cases where the CA has “renewed” a certificate with a new 
> key or "rekeyed" a certificate.  Are you saying that CAs are somehow 
> different from other entities?

No, I think your example makes it perfectly clear :)

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170404/e3b16ba4/attachment-0003.html>

More information about the Public mailing list