On Wed, Apr 26, 2017 at 2:17 PM, Bruce Morton < [email protected]> wrote:
> Our software does not support change the identity of a CA when you issue > it a new certificate. I assume that this is similar issuing passports. When > an individual gets a passport they put their identity in the passport, when > they renew their passport, they use the same identity. > > > Right, apologies I wasn't clearer - what's the use case for 'renewing' an intermediate? What functionality are you achieving versus, say, naming it as a new intermediate? > We do use CNs for subordinate CAs and the CNs are unique per CA. We do not > use unique CNs per CA certificate. > > > > Please also note that the unique CN is also for a unique private key. > Right, that's the bit of unnecessary complexity that I think is harmful (and can think of a variety of situations where it's caused a Bad Result for Security).
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
