Re: [saag] subordinate vs intermediate certification authority
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 24 February 2021 23:54 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8DBE3A114B; Wed, 24 Feb 2021 15:54:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4qhiNmFccng; Wed, 24 Feb 2021 15:54:53 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3603F3A0FD0; Wed, 24 Feb 2021 15:54:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 8079538A0C; Wed, 24 Feb 2021 18:59:04 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id G-5j2W_1rRqX; Wed, 24 Feb 2021 18:59:03 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CA5A5389EF; Wed, 24 Feb 2021 18:59:03 -0500 (EST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 3F2AC9A8; Wed, 24 Feb 2021 18:54:51 -0500 (EST)
To: saag@ietf.org, spasm@ietf.org
References: <30833.1612411843@localhost>
From: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <b4b2ec42-3af1-56bd-5d5c-8eb20b692eec@sandelman.ca>
Date: Wed, 24 Feb 2021 18:54:51 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <30833.1612411843@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/MDy3dvEe8KCTNN9vLpTjtim3YQ8>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 23:54:56 -0000
Thank you folks for the discussion. On 2021-02-03 11:10 p.m., Michael Richardson wrote: > > I thought I had cross-posted this, but apparently I did not: > https://mailarchive.ietf.org/arch/msg/anima/3tNwWb9gBacdYMTr1TtXzSa_3_Q/ > > FC5280 uses the term "intermediate certificates", and they are presumably > issues by "intermediate" certification authorities. > > That term does not appear, although: > "intermediate CA certificates" > occurs. > > RFC4949 defines "intermediate CA" > However, the usage in RFC4949 seems entirely related to cross-certification, > rather than a PKI that has multiple layers of certification authority! Based upon the discussion on the list, the NIST references, and a look at the US GOV Federal https://fpki.idmanagement.gov/tools/fpkigraph/ It seems that actually the Intermediate CA has extensive use related to cross-certification. To the extent that the term has been used in our documents, it is usually associated with path validation, and this is usually important when bridge CAs are involved. I will use the term subordinate CA when speaking about a multi-level PKI. If I had the opportunity to update RFC4949 and RFC5280, it would be to add subordinate/superior CA to the document, with references to the NIST documents.
- [saag] subordinate vs intermediate certification … Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Brockhaus, Hendrik
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Dr. Pala
- Re: [saag] [lamps] subordinate vs intermediate ce… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] [lamps] subordinate vs intermediate ce… Ryan Sleevi
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Eliot Lear
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson