IETF Logo Mail Archive

Re: [saag] subordinate vs intermediate certification authority

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 04 February 2021 04:48 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72A63A0CF6 for <saag@ietfa.amsl.com>; Wed, 3 Feb 2021 20:48:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsjzCEhdab0o for <saag@ietfa.amsl.com>; Wed, 3 Feb 2021 20:48:12 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91E93A0CEB for <saag@ietf.org>; Wed, 3 Feb 2021 20:48:12 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 4035C19911A; Wed, 3 Feb 2021 23:48:11 -0500 (EST)
Date: Wed, 3 Feb 2021 23:48:11 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <YBt8izjlBu+nAtsN@straasha.imrryr.org>
Reply-To: saag@ietf.org
References: <30833.1612411843@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <30833.1612411843@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/8K4JvFVWBhtD9X1M4qR6D8C4JXc>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 04:48:15 -0000

On Wed, Feb 03, 2021 at 11:10:43PM -0500, Michael Richardson wrote:

> I thought I had cross-posted this, but apparently I did not:
>
>   https://mailarchive.ietf.org/arch/msg/anima/3tNwWb9gBacdYMTr1TtXzSa_3_Q/
> 
> RFC5280 uses the term "intermediate certificates", and they are
> RFC4949 defines "intermediate CA"
> RFC4949 defines "subordinate CA" in a way that implies it is part of the same
> RFC5280 uses the term "subordinate" in section 3.2, but later in referring to
> 
> At this point, in 2020, can someone give me some guidance on using these terms?

FWIW, in the context of OpenSSL, Postfix, etc., I see/use the terms
"root CA certificate", "intermediate CA certificate" and "end-entity
certificate".  Where "root CA certificates" are self-signed, "end-entity
certificates" are the certificates of the peer, and everything in
between is just intermediate certificates.

>From a verifier perspective there is little reason to make distictions
on a more granular level.  Note that what may be an intermediate CA
certificate (or even end-entity certificate) in one context may the
trust anchor in another.  So the above terms are strictly about the
chain of issuance, separate from any question of which element in the
chain happens to be the trust anchor.

> My intuition, which I have started to document at:
>    https://www.ietf.org/archive/id/draft-richardson-t2trg-idevid-considerations-01.html#name-number-of-levels-of-certifi
> 
> is that if the Trust Anchor (Level one) and the Level Two Certification
> Authority are under control of the same organization, then the Level Two is
> an "intermediate" certification authority.
>
> However, if the Anchor (level N) and the Level N+1 certification authority
> are in different organizations (such as for an "Enterprise Certificate"),
> then the Level N+1 is a subordinate CA.

Again, from the vantage point of the verifier, there's no practical way
to know.  Some of the Let's Encrypt CA certs are issued by DST others by
ISRG.  In common usage, I typically see these referred to as intermediate
certificates, but e.g. the ISRG CPS appears to prefer "subordinate":

    https://letsencrypt.org/documents/isrg-cp-v2.5/

    6.1.1.1 CA key pair generation

    For Root CA Key Pairs created after the Effective Date that are
    either (i) used as Root CA Key Pairs or (ii) Key Pairs generated for
    a subordinate CA that is not the operator of the Root CA or an
    Affiliate of the Root CA, the CA SHALL:

explicitly distinguishing between arm's length subordinates and
subordinates affiliated with the root CA.  There's no mention
of intermediate certificates, rather The taxonomy appears to be

    6.1.5 Key sizes

        (1) Root CA Certificates

        (2) Subordinate CA Certificates

        (3) Subscriber Certificates

So as I see it, "intermediate" and "subordinate" are essentially
synonymous, with some technical communities using the former and others
the latter to mean basically the same thing.

-- 
    Viktor.

v2.8.7 | Report a Bug | By Email