IETF Logo Mail Archive

Re: [saag] [lamps] subordinate vs intermediate certification authority

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Thu, 04 February 2021 07:46 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4E743A13A5; Wed, 3 Feb 2021 23:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvv79wpucIBH; Wed, 3 Feb 2021 23:46:17 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80055.outbound.protection.outlook.com [40.107.8.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91AD43A13A4; Wed, 3 Feb 2021 23:46:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nQbfJiLQ/SPm8YAPF7rWvKeLJ7e+fT2QxZ38UfFHuPrF8IffONX/ucCFOfubLKFZXviL86aPrIdWIoRK359EFmb/VhYyM0fP1v1ZIolhYB/9FZQDBMH9xTkN/5mVz1KpSS33gTJGM513u+27IHrU2Tp6peYEzOIhNdlGy4nvDOhCAP1kWVb/WfcksuAPnMO2/U7pviLp0lS5uGfl2vhseklnLCDFUzdSDMjA+N7F3jqzpDTPGbUUMFByiErGepbF9uGXxlIAziH12+qcp6Fx09NP5pWuvWZwU1rBUAebxwGQgR42he+mGO5gAGh0LjXwCqECGs3PwFmWODzxOdYuNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6YtlCLwy5WzSkTJz4g7Do+swrYzTN7588TeFryDdIc0=; b=He/k5D92BBS+dczuZtZSrKq/b284W+S68qj3fFjO8CINCf9CPPXbVJKSrT/OSRHXLjWCa3TmGtPXmLcGDgTVTZZOPBBZrJjCNfFnL/65GMmUR6t+/Qhw31PZ56Be80uI2lw9M3kKhKLJtmToI+TxjZ9WtnmaOZOJSdjBSwTK5nYae+DhFrFAgw2vaKgFIr6/07wZkW/xlFl1+yVt68Dd78qhw9qAkDUc+qnRYVad2f9NQhkHF8/5sTobmII7ImlXvuDP/7guiYIcvn0J0F02fFlfxGFgktHsj7bcyinshhKoJfebvtGB3W63Q9qxL2YSSEXi6WdWNv9bXlWE0t5Iwg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6YtlCLwy5WzSkTJz4g7Do+swrYzTN7588TeFryDdIc0=; b=kPGUv9avLA+kzFJVir+xMyV1DbZMhc7F9+51Q/m86zPi/87U7eIb58iNQaUWz8BqD+FKtJjKXxqxCZEJxBYknWnU62HjHOC8AAEo8hCC9qIhaYgktQIdxGZn52UyW5DT5rdibiIZhBG1KfwmiCXOap/Qoz6/yzoDSsPmyKdKw7I=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM0PR10MB3281.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:17d::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.19; Thu, 4 Feb 2021 07:46:13 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::d199:e33a:ff08:75b1]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::d199:e33a:ff08:75b1%3]) with mapi id 15.20.3784.024; Thu, 4 Feb 2021 07:46:13 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "spasm@ietf.org" <spasm@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [lamps] subordinate vs intermediate certification authority
Thread-Index: AQHW+qvQK8MOdlfojUuVDnFuO1n7hKpHl3mA
Date: Thu, 04 Feb 2021 07:46:13 +0000
Message-ID: <AM0PR10MB2418085DF1EB0952EB6DFCEDFEB39@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <30833.1612411843@localhost>
In-Reply-To: <30833.1612411843@localhost>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-02-04T07:46:12Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=11943578-3948-49cc-9f57-6fb9776ac483; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.160]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 3b279ebf-c101-400d-694c-08d8c8e0f24e
x-ms-traffictypediagnostic: AM0PR10MB3281:
x-microsoft-antispam-prvs: <AM0PR10MB3281AC27CD61C2EBDB582A7DFEB39@AM0PR10MB3281.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DvzCoWZqfMo8A4WxNSvKWX1T/mHRHOfiNmsb0yrODzKDObBHt1pZ/HPzKPXUqy4FHKgaEYLe7H5YM8ITv95jEHRo+xiVIbhHjWfbHBkXdM4y6DwxBDu843wxuvlHwOJKB0jAqQmzXHOY2fq2wmAYk6g9YjOIvVZzucNru8RV0MSJ2hiaU9gkxNwVbIhLWsPnEGTmwWjPXAPkXqgUVhvH7F96WNBkP7TMdr9Y56689QLjmW5jKNPAZ1hjT/NqYmwwsI7KqxrfWK4/DuxrF5P9hsWtQihbDyJqEJ2OGBjV98KotPkWBIPeibFcM2XWtCRakxnxRO5ZM6K58I2Dv+iIY7nTAA9xAgoexsLyHpwTcyh0HVbSTEtI80l7qUvbYwybduBWpZOnoiX+7WDKPV8NPavnMmKORLBFTi9BY1upBXE8qtLIjK8g0/rhw+wJ+nME6ZgxOClSa16/0GG5+MdmDAlyxLl05W7vypaCN2plVeZaA1afp2mC43PFGhmPN/6cMMR4yOWVMPx2QvOsqQKV08xvKSV/n9tTJz1meJa/UpZXuvBxp+9RD+gcsk8qIxLoLOsD8ueWo7ZY/gZn7jlZusz11e+KRcmoymb9z/IK0BSjmhirQiZfzMHevX8hv9p2reIGF0rUINFtinpy5WrFNw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(366004)(376002)(396003)(346002)(33656002)(16799955002)(5660300002)(8676002)(6506007)(55236004)(7696005)(71200400001)(86362001)(2906002)(9686003)(83080400002)(55016002)(66946007)(478600001)(52536014)(4326008)(45080400002)(66574015)(26005)(8936002)(186003)(54906003)(316002)(966005)(64756008)(66556008)(66476007)(66446008)(76116006)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 7UoqVeGUh95R7ZFPB8o19sDETqzoXlGG7VEzjsmMlOyu9iGPUpYoIGpNgZtY35YMOhuAXj3aaKHiCrYVqWXndatu5llZLENnQ2iifyEvct4Eh1SBqy90UirAYKC/YsNYvTiERqwDTcwZAsy/7+iZ3guONX/PaqgZUa5tYeWZri6TEzVYWz/aoQt/E5fQ8YFp1C+xY0jnYutgFjX1pYzsViX6ScLCbNFyuLP6sgpr4sp82cpE0ON3iIr5v8ojLc09Ghqt9pPCTmrdoNGMfQLmZcl9LiTkNRp79KgC5SRUb5mpX5LezMvIWu831F1xKQiNcvPrYf9X04lq8z3cmp3SBfJP+U69C3zvYsAZBbrOW8cwLfqbyhw/kaqSFyco4Z5NNuMv421Ziq72BLyt7SwQ+3FgEr9dd+Mxgqj1YfAjpv3w43TtH4DDeBcVTj27EAQQp08OifDcLafygC99HYSYqI4Ag4f7dS7XfbuHkloKfy+sJ9cg+ZwZs6l8te8dJKQy/VQPCfzts8OoOdmAbNExweax1MMyzVBHSLX5CLrriMf380j3OtHXskC51oMqTx9Wm4jZJTEgX5XjqRMw3+NLmjHp4HPajrryqYBT1rNBaUcvLe4e73rGALgkxnjtlL04PdsQhfHDUwKyix/zueBy8z+yNQnoRfJca/bz6b8714IVcNDTkpmeXG4XK1P/eGWtu7JvzzhqWtflxUjtNALZnqk0HmglCgR7itL/ZHgc/Ox1FQOet11K82/6lSiV/ri718wZocV4JRipIsygokfziOCtqHuyDywwyQxaQCmriWY5qoMY6IPFsZUALBmijmGup76n8ks6WCkoj9g/7KbKOsxdq95bhdj9wRGzl/O/uEJJ3blneU+4/8loalEz6jmeQZL7IuTTo8jyXYg/6TBlGhri5pm8A1GF+F3w5wiMRKndTtYgTu71LAyh5GOcZFw3ngPJTmyTw2x0EiRIKwzphq90dXxLUqkrtZub35QTovtf9cPnninXysHJnjOsFnRSJ9jelFUQUp+SHkya97KmfRuK/haTqliXV5Paux+5rMu7t1ZbDvpqiUQ/jOdF7Nb7
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b279ebf-c101-400d-694c-08d8c8e0f24e
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2021 07:46:13.5860 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oqFbwik/HhgAo8AlMt/Rb2wJwfVgIYhRx9fTaV9vJC4g9ufa1IcVjztmEwxQmBVqf6IxLGfkKMy6aEi50+GKPN5PALBa784oXeShHuu2Ufw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB3281
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/aErpka2hzVDMUqiP0NDK9HBLvcA>
Subject: Re: [saag] [lamps] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 07:46:19 -0000

Michael

I also recognized the lack of clear definitions of these terms.

May be the definitions in the NIST glossary help.
https://csrc.nist.gov/glossary/term/Intermediate_Certification_Authority
"intermediate CA
A CA that is signed by a superior CA (e.g., a Root CA or another Intermediate CA) and signs CAs (e.g., another Intermediate or Subordinate CA). The Intermediate CA exists in the middle of a trust chain between the Trust Anchor, or Root, and the subscriber certificate issuing Subordinate CAs. From CNSSI 4009-2015 CNSSI 1300
A CA that is subordinate to another CA, and has a CA subordinate to itself. From NIST SP 800-32"
https://csrc.nist.gov/glossary/term/superior_CA
"superior CA
In a hierarchical PKI, a CA who has certified the certificate signature key of another CA, and who constrains the activities of that CA. (See subordinate CA). From NIST SP 800-32"
https://csrc.nist.gov/glossary/term/subordinate_CA
"subordinate CA
In a hierarchical PKI, a CA whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA. (See superior CA). From NIST SP 800-32"

The definition of intermediate CA from the NIST glossary differs to the one in RFC 4949, but I think it fits better for todays use. The definition of subordinate CA seems to fit well also with RFC 4949.

I often read the term "Issuing CA" referring to those CAs issuing end entity certificates.
https://www.omnisecu.com/security/public-key-infrastructure/certificate-authority-ca-hierarchy.php
But I am not aware of any official definition. Sometime the term issuing CA is also used more general to refer to the CA that's issued any certificate, not only an end entities.

Hendrik

> -----Ursprüngliche Nachricht-----
> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael Richardson
> 
> I thought I had cross-posted this, but apparently I did not:
> 
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaila
> rchive.ietf.org%2Farch%2Fmsg%2Fanima%2F3tNwWb9gBacdYMTr1TtXzSa_3
> _Q%2F&amp;data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C255
> 1cabf1d654a19be8308d8c8c2f242%7C38ae3bcd95794fd4addab42e1495d55a%
> 7C1%7C0%7C637480086901728875%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C200
> 0&amp;sdata=GtWLDA9UZnBbTgy4SPKe5GP2PcTnjz9x5SnL2HRxwZY%3D&a
> mp;reserved=0
> 
> FC5280 uses the term "intermediate certificates", and they are presumably
> issues by "intermediate" certification authorities.
> 
> That term does not appear, although:
>      "intermediate CA certificates"
> occurs.
> 
> RFC4949 defines "intermediate CA"
> However, the usage in RFC4949 seems entirely related to cross-certification,
> rather than a PKI that has multiple layers of certification authority!
> 
> RFC4949 defines "subordinate CA" in a way that implies it is part of the same
> organization.
> RFC5280 uses the term "subordinate" in section 3.2, but later in referring to
> RFC1422, notes that in X509v3, we don't need the same structure.
> In reading it, it feels that the term subordinate should refer to v1 certificates
> only.
> 
> At this point, in 2020, can someone give me some guidance on using these
> terms?
> 
> My intuition, which I have started to document at:
> 
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .ietf.org%2Farchive%2Fid%2Fdraft-richardson-t2trg-idevid-considerations-
> 01.html%23name-number-of-levels-of-
> certifi&amp;data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2551
> cabf1d654a19be8308d8c8c2f242%7C38ae3bcd95794fd4addab42e1495d55a%7
> C1%7C0%7C637480086901728875%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C200
> 0&amp;sdata=abLRY9YWMtjjKzmrCsVgRV8pJj8At2rF74vGzTITV%2B4%3D&a
> mp;reserved=0
> 
> is that if the Trust Anchor (Level one) and the Level Two Certification
> Authority are under control of the same organization, then the Level Two is
> an "intermediate" certification authority.
> 
> However, if the Anchor (level N) and the Level N+1 certification authority are
> in different organizations (such as for an "Enterprise Certificate"), then the
> Level N+1 is a subordinate CA.
> 
> This question comes from working on draft-ietf-anima-constrained-voucher,
> in which we have a number of choices on which certificate (or public key) to
> pin our constrained-RFC8366 voucher.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
>

v2.23.0 | Report a Bug | By Email