[cabfpub] Terminology/Style question
jimmy at it.auth.gr
Tue Apr 4 10:11:24 MST 2017
On 4/4/2017 5:20 μμ, Peter Bowen wrote:
>> By keeping exactly the same DN? Does this align with 220.127.116.11 of RFC
>> 5280 that require unique DNs under one Issuing CA (probably a Root CA
>> in this case)
> I’m not sure what part of 18.104.22.168 says this is not allowed. In fact
> it says: "A CA MAY issue more than one certificate with the same DN to
> the same subject entity.”
> Consider a situation where CAs are licensed by a central authority.
> A single legal entity may operate multiple CAs. This sort of
> requirement exists in other industries; for example the requirement in
> many US states that each restaurant kitchen be inspected and
> licensed even if a single company owns multiple kitchens. In the
> case of a licensed CA, it is clear that it is a specific subject
> entity. Therefore issuing more than multiple certificates with
> the same DN to that entity with different key pairs is fine.
It says exactly the following:
"The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field. A CA MAY issue more than one certificate with the same DN to the same subject entity."
I guess I was confused by the first sentence because having more than
one Certificate per subject entity per CA (as the Issuer) with the same
DN would break the uniqueness. I read it as uniqueness of DNs per CA
where you read it as uniqueness of a "subject entity" that can have the
same DN but multiple certificates with the same DN. Now I can understand
>>> While not mentioned, two different Issuing CAs can have the same key
>> I don't remember reading any requirement that prevents this.
>>> So, to answer your question: I would say those are both the same
>>> “Issuing CA”.
>> If two CA Certificates have exactly the same DN as in the example
>> above, we agree that we are talking about the same "Issuing CA".
>> However, we need to understand if the re-key process of an Issuing CA
>> is in accordance with RFC 5280 since this is not a "self-issued
>> certificate" that 5280 explicitly allows for keeping the same DN.
> As long as it is the same subject entity, then you can re-key.
> Consider certificates issued with the subject DN: CN=*.google.com
> <http://google.com>, O=Google Inc, L=Mountain View, ST=California,
> C=US. crt.sh shows many many with this DN with different keys:
> <https://crt.sh/?cn=*.google.com&dir=%5E&sort=2> There are millions
> more similar cases where the CA has “renewed” a certificate with a new
> key or "rekeyed" a certificate. Are you saying that CAs are somehow
> different from other entities?
No, I think your example makes it perfectly clear :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public