IETF Logo Mail Archive

[saag] subordinate vs intermediate certification authority

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 04 February 2021 04:10 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEF683A0C3D; Wed, 3 Feb 2021 20:10:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKYfNaoomKcR; Wed, 3 Feb 2021 20:10:47 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29CBA3A0C32; Wed, 3 Feb 2021 20:10:46 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id E80C9389A6; Wed, 3 Feb 2021 23:13:38 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cSREVZWweZiY; Wed, 3 Feb 2021 23:13:37 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 143AD389AC; Wed, 3 Feb 2021 23:13:37 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2392348F; Wed, 3 Feb 2021 23:10:43 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: spasm@ietf.org, saag@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 03 Feb 2021 23:10:43 -0500
Message-ID: <30833.1612411843@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/NRKjb7nRoZZ2iMx9_op7Ucv99jg>
Subject: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 04:10:51 -0000

I thought I had cross-posted this, but apparently I did not:
  https://mailarchive.ietf.org/arch/msg/anima/3tNwWb9gBacdYMTr1TtXzSa_3_Q/

FC5280 uses the term "intermediate certificates", and they are presumably
issues by "intermediate" certification authorities.

That term does not appear, although:
     "intermediate CA certificates"
occurs.

RFC4949 defines "intermediate CA"
However, the usage in RFC4949 seems entirely related to cross-certification,
rather than a PKI that has multiple layers of certification authority!

RFC4949 defines "subordinate CA" in a way that implies it is part of the same
organization.
RFC5280 uses the term "subordinate" in section 3.2, but later in referring to
RFC1422, notes that in X509v3, we don't need the same structure.
In reading it, it feels that the term subordinate should refer to v1
certificates only.

At this point, in 2020, can someone give me some guidance on using these terms?

My intuition, which I have started to document at:
   https://www.ietf.org/archive/id/draft-richardson-t2trg-idevid-considerations-01.html#name-number-of-levels-of-certifi

is that if the Trust Anchor (Level one) and the Level Two Certification
Authority are under control of the same organization, then the Level Two is
an "intermediate" certification authority.

However, if the Anchor (level N) and the Level N+1 certification authority
are in different organizations (such as for an "Enterprise Certificate"),
then the Level N+1 is a subordinate CA.

This question comes from working on draft-ietf-anima-constrained-voucher,
in which we have a number of choices on which certificate (or public key) to
pin our constrained-RFC8366 voucher.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email