Re: [pkix] Support for delegate certificates

Peter Bowen <> Fri, 15 April 2016 03:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A003612D110 for <>; Thu, 14 Apr 2016 20:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ObCsguEX7YU9 for <>; Thu, 14 Apr 2016 20:04:53 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c03::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EC35D12D6AF for <>; Thu, 14 Apr 2016 20:04:52 -0700 (PDT)
Received: by with SMTP id fs9so32000022pac.2 for <>; Thu, 14 Apr 2016 20:04:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=gW6yVu/5Cv6gwUHgClO01dPEckWmelKp0XnsU1O98lg=; b=WGkz4IPruwlgY3yqBiZzcJIg81jPyal4ZElF3d3D9xJoEIpRfzvMI/37vTobB5Q7XT piRe5/2qWbzfh0YilePclxCCAH7xXNhklMnYiP+Hz1z8vWS4WhJfJkrp3leU2V1RB6KH x9P+qKem8M0m3lGoLYHxFKfaLeugjuVLgIWWbNp2pFYPPaIS+oIYiFkpk23Yt6eAcfkz MRWKV137c3M6/3sPzP4tdIn9POmqf0M0MTD65A9aIkJ4N2+PpzabislyIRfDIqivqM/u o6UbVZQmLjHNCDUMPIY1FJHEHTcb8dAnArxH2eK7FmssT8/avs++f/9ra3qy4SSZC7HE BKRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gW6yVu/5Cv6gwUHgClO01dPEckWmelKp0XnsU1O98lg=; b=mNixxRo66O+RcpsNPrZgCiZeyR6BqPhKflKogvYic+BX2YFBtsvab6YUdbACkzfJDy /1HRylAWxj/vf8myDV6lrlfFmxQUuPjUrrbDUqXih+vFkuTR4axNHAC9MHxcifQHGlkC C3WONH9vK9+m9UKlGFEKtYhMuxcUB/0x7qIoDZupopfQgcyMFcG2fW06zhomIVsPYrNC u9mVmZ56cy6Qx5AAFnblB0vfATQekLpf+2OjrZIrfcGEZsw+ftUzGcmCfRFRHMijAQZm ipxfqKLbUHc1L+L4TVUl8V5XeI4ZZsegOChJOG3u3dQ8MQq5gyElxWls/sOoOSXYw4KX 6n6w==
X-Gm-Message-State: AOPr4FWYsMe3q4J45d7TWOdqYZhXiAl5D8DWrAgj8Jhod9N92wdkb8PX56ARQG9MubzpQG6cwIjvKuH9na12Uw==
MIME-Version: 1.0
X-Received: by with SMTP id xm9mr25996336pab.68.1460689492502; Thu, 14 Apr 2016 20:04:52 -0700 (PDT)
Received: by with HTTP; Thu, 14 Apr 2016 20:04:52 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Thu, 14 Apr 2016 20:04:52 -0700
Message-ID: <>
From: Peter Bowen <>
To: Phil Lello <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "<>" <>
Subject: Re: [pkix] Support for delegate certificates
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Apr 2016 03:04:54 -0000

On Thu, Apr 14, 2016 at 12:16 PM, Phil Lello <> wrote:
> Not sure if this has already been discussed (I couldn't find it), or indeed
> if this is the most appropriate list, but I have a variation on certificate
> chains I'd like considered.
> I have a couple of scenarios in mind where it could be useful for the holder
> of a certificate, say for * to act as a CA for issuing
> certificate to delegates. Examples include:
>   - * issues a certificate to (to reduce
> number of admins trusted with wildcard cert)
>   - * issues a certificate to (to support
> HTTP's Alt-Svc)
>   - * issues a certificate to, who issues a
> certificate to
> The basic principle is that the certificate (as vetted by a public CA)
> identifies the party responsible for the signed content, but allows
> generation of certificates for alternate distribution points (or individuals
> who can do so).
> This would require explicit changes for libraries supporting protocols such
> as TLS (assuming the chain verification isn't hopelessly broken) to provide
> a notification to the client to identify who's behalf the certificate was
> issued on.

This concept already exists today in the form of name constraints
(  Name
constraints provide namespace (e.g. and only allow
issuance to subtrees of that name.  They are defined to work with DNS
names, email addresses, IP addresses, SRV names, and other name forms,
so almost everything you propose could work.

Have you looked at name constraints?