[saag] subordinate vs intermediate certification authority
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 04 February 2021 04:10 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEF683A0C3D; Wed, 3 Feb 2021 20:10:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKYfNaoomKcR; Wed, 3 Feb 2021 20:10:47 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29CBA3A0C32; Wed, 3 Feb 2021 20:10:46 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id E80C9389A6; Wed, 3 Feb 2021 23:13:38 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cSREVZWweZiY; Wed, 3 Feb 2021 23:13:37 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 143AD389AC; Wed, 3 Feb 2021 23:13:37 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2392348F; Wed, 3 Feb 2021 23:10:43 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: spasm@ietf.org, saag@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 03 Feb 2021 23:10:43 -0500
Message-ID: <30833.1612411843@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/NRKjb7nRoZZ2iMx9_op7Ucv99jg>
Subject: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 04:10:51 -0000
I thought I had cross-posted this, but apparently I did not: https://mailarchive.ietf.org/arch/msg/anima/3tNwWb9gBacdYMTr1TtXzSa_3_Q/ FC5280 uses the term "intermediate certificates", and they are presumably issues by "intermediate" certification authorities. That term does not appear, although: "intermediate CA certificates" occurs. RFC4949 defines "intermediate CA" However, the usage in RFC4949 seems entirely related to cross-certification, rather than a PKI that has multiple layers of certification authority! RFC4949 defines "subordinate CA" in a way that implies it is part of the same organization. RFC5280 uses the term "subordinate" in section 3.2, but later in referring to RFC1422, notes that in X509v3, we don't need the same structure. In reading it, it feels that the term subordinate should refer to v1 certificates only. At this point, in 2020, can someone give me some guidance on using these terms? My intuition, which I have started to document at: https://www.ietf.org/archive/id/draft-richardson-t2trg-idevid-considerations-01.html#name-number-of-levels-of-certifi is that if the Trust Anchor (Level one) and the Level Two Certification Authority are under control of the same organization, then the Level Two is an "intermediate" certification authority. However, if the Anchor (level N) and the Level N+1 certification authority are in different organizations (such as for an "Enterprise Certificate"), then the Level N+1 is a subordinate CA. This question comes from working on draft-ietf-anima-constrained-voucher, in which we have a number of choices on which certificate (or public key) to pin our constrained-RFC8366 voucher. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [saag] subordinate vs intermediate certification … Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Brockhaus, Hendrik
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Dr. Pala
- Re: [saag] [lamps] subordinate vs intermediate ce… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] [lamps] subordinate vs intermediate ce… Ryan Sleevi
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Eliot Lear
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson