RFC5280 uses the term "intermediate certificates", and they are presumably issues by "intermediate" certification authorities.
That term does not appear, although:
"intermediate CA certificates"
occurs.
RFC4949 defines "intermediate CA"
However, the usage in RFC4949 seems entirely related to cross-certification,
rather than a PKI that has multiple layers of certification authority!
RFC4949 defines "subordinate CA" in a way that implies it is part of the same
organization.
RFC5280 uses the term "subordinate" in section 3.2, but later in referring to
RFC1422, notes that in X509v3, we don't need the same structure.
In reading it, it feels that the term subordinate should refer to v1
certificates only.
At this point, in 2020, can someone give me some guidance on using these terms?
My intuition, which I have started to document at:
https://www.ietf.org/archive/id/draft-richardson-t2trg-idevid-considerations-01.html#name-number-of-levels-of-certifi
is that if the Trust Anchor (Level one) and the Level Two Certification
Authority are under control of the same organization, then the Level Two is
an "intermediate" certification authority.
However, if the Anchor (level N) and the Level N+1 certification authority
are in different organizations (such as for an "Enterprise Certifiate"),
then the Level N+1 is a subordinate CA.
This question comes from working on draft-ietf-anima-constrained-voucher,
in which we have a number of choices on which certificate (or public key) to
pin our constrained-RFC8366 voucher.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
