IETF Logo Mail Archive

Re: [saag] subordinate vs intermediate certification authority

"Dr. Pala" <madwolf@openca.org> Fri, 05 February 2021 13:16 UTC

Return-Path: <madwolf@openca.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8052F3A10AD; Fri, 5 Feb 2021 05:16:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K16E_JnmxLsL; Fri, 5 Feb 2021 05:16:55 -0800 (PST)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 71DC63A10AC; Fri, 5 Feb 2021 05:16:55 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 2003D3741797; Fri, 5 Feb 2021 13:16:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NzNf9h1ZskjK; Fri, 5 Feb 2021 08:16:52 -0500 (EST)
Received: from mpaclmbpt16.local (c-76-25-82-103.hsd1.co.comcast.net [76.25.82.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 764CB37407EA; Fri, 5 Feb 2021 08:16:52 -0500 (EST)
To: saag@ietf.org, LAMPS <spasm@ietf.org>
References: <30833.1612411843@localhost>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org>
Date: Fri, 5 Feb 2021 06:16:51 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.7.0
MIME-Version: 1.0
In-Reply-To: <30833.1612411843@localhost>
Content-Type: multipart/alternative; boundary="------------847E93771384AC8898E19781"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/LVeE9GVK5yPjuysPD-HnTtvuYNY>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2021 13:16:58 -0000

Hi Michael, all,

I would not add specific significance to terminology that has been used 
interchangeably for many years. In the public eye "Intermediate CA" or 
"Subordinate CA" are equivalent (used in different contexts, though). If 
you want to make the distinction because in your work you want to 
differentiate if a CA is run by the same organization that runs the 
Trust Anchors, I would suggest you make it very explicit in the text so 
as not to confuse people.

Developers and Practitioners (see the note on OpenSSL's conventions) 
seem to support more the "Intermediate CA" for technical conversations 
while "Subordinate CA" is usually referred to in the context of PKI 
policies.

RFC3647 talks about subordinate organizations instead - maybe that is 
the concept you need to use? What is weird about the question is the 
different logical levels that you are trying to put together: business 
relationships and certification chains.

I hope this helps,

Cheers,
Max

On 2/3/21 9:10 PM, Michael Richardson wrote:
> I thought I had cross-posted this, but apparently I did not:
>    https://mailarchive.ietf.org/arch/msg/anima/3tNwWb9gBacdYMTr1TtXzSa_3_Q/
>
> FC5280 uses the term "intermediate certificates", and they are presumably
> issues by "intermediate" certification authorities.
>
> That term does not appear, although:
>       "intermediate CA certificates"
> occurs.
>
> RFC4949 defines "intermediate CA"
> However, the usage in RFC4949 seems entirely related to cross-certification,
> rather than a PKI that has multiple layers of certification authority!
>
> RFC4949 defines "subordinate CA" in a way that implies it is part of the same
> organization.
> RFC5280 uses the term "subordinate" in section 3.2, but later in referring to
> RFC1422, notes that in X509v3, we don't need the same structure.
> In reading it, it feels that the term subordinate should refer to v1
> certificates only.
>
> At this point, in 2020, can someone give me some guidance on using these terms?
>
> My intuition, which I have started to document at:
>     https://www.ietf.org/archive/id/draft-richardson-t2trg-idevid-considerations-01.html#name-number-of-levels-of-certifi
>
> is that if the Trust Anchor (Level one) and the Level Two Certification
> Authority are under control of the same organization, then the Level Two is
> an "intermediate" certification authority.
>
> However, if the Anchor (level N) and the Level N+1 certification authority
> are in different organizations (such as for an "Enterprise Certificate"),
> then the Level N+1 is a subordinate CA.
>
> This question comes from working on draft-ietf-anima-constrained-voucher,
> in which we have a number of choices on which certificate (or public key) to
> pin our constrained-RFC8366 voucher.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

v2.8.7 | Report a Bug | By Email