[Anima] subordinate vs intermediate certification authorities

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 28 January 2021 17:17 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A812A3A1652 for <anima@ietfa.amsl.com>; Thu, 28 Jan 2021 09:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mmHi7mUS7Pyy for <anima@ietfa.amsl.com>; Thu, 28 Jan 2021 09:17:43 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 069AC3A164E for <anima@ietf.org>; Thu, 28 Jan 2021 09:17:40 -0800 (PST)
Received: from localhost (localhost []) by tuna.sandelman.ca (Postfix) with ESMTP id A57DF389E5; Thu, 28 Jan 2021 12:19:44 -0500 (EST)
Received: from tuna.sandelman.ca ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id W71_X13H_IiS; Thu, 28 Jan 2021 12:19:29 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 1250038996; Thu, 28 Jan 2021 12:19:29 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 70754654; Thu, 28 Jan 2021 12:16:13 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: lamps@ietf.org, t2trg@ietf.org
cc: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Thu, 28 Jan 2021 12:16:13 -0500
Message-ID: <25392.1611854173@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/3tNwWb9gBacdYMTr1TtXzSa_3_Q>
Subject: [Anima] subordinate vs intermediate certification authorities
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2021 17:17:46 -0000

RFC5280 uses the term "intermediate certificates", and they are presumably
issues by "intermediate" certification authorities.

That term does not appear, although:
     "intermediate CA certificates"

RFC4949 defines "intermediate CA"
However, the usage in RFC4949 seems entirely related to cross-certification,
rather than a PKI that has multiple layers of certification authority!

RFC4949 defines "subordinate CA" in a way that implies it is part of the same
RFC5280 uses the term "subordinate" in section 3.2, but later in referring to
RFC1422, notes that in X509v3, we don't need the same structure.
In reading it, it feels that the term subordinate should refer to v1
certificates only.

At this point, in 2020, can someone give me some guidance on using these terms?

My intuition, which I have started to document at:

is that if the Trust Anchor (Level one) and the Level Two Certification
Authority are under control of the same organization, then the Level Two is
an "intermediate" certification authority.

However, if the Anchor (level N) and the Level N+1 certification authority
are in different organizations (such as for an "Enterprise Certifiate"),
then the Level N+1 is a subordinate CA.

This question comes from working on draft-ietf-anima-constrained-voucher,
in which we have a number of choices on which certificate (or public key) to
pin our constrained-RFC8366 voucher.

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide