I want to know some information about the regulation of intermediate CAs. Is there any standard for intermediate CA to determine how many intermediate CAs are required or something like that which concerns the application of intermediate CA?
Asked
Active
Viewed 220 times
5
2 Answers
4
CABForum "Baseline Requirements"
TLS certificates on The Web are governed primarily by the CA-Browser Forum Baseline Requirements, which all publicly-trusted CAs are required (by browser vendors) to follow.
In the Baseline Requirements (BRs), intermediate certificates are not explicitly required to be used at all. In theory, a CA could just sign all their certificates with their root certificate's key. From a practical perspective though, intermediates are necessary because the root key is usually kept offline to protect it from compromise by malicious actors.
If an intermediate certificate is issued to a third party, that party becomes a Subordinate CA of the original, Root CA. In such cases, the BRs specify that the Subordinate CA must follow the Baseline Requirements just as the Root CA does:
Section 1.1 says:
These Requirements are applicable to all Certification Authorities within a chain of trust. They are to be flowed down from the Root Certification Authority through successive Subordinate Certification Authorities.
Currently, the Baseline Requirements grant the Root CA the responsibility of ensuring that its Subordinate CAs follow the Baseline Requirements.
Section 9.6.1 says:
The Root CA SHALL be responsible for the performance and warranties of the Subordinate CA, for the Subordinate CA’s compliance with these Requirements, and for all liabilities and indemnification obligations of the Subordinate CA under these Requirements, as if the Root CA were the Subordinate CA issuing the Certificates
Mozilla Root Store Policy
Additionally, some browsers' root store programs may impose additional regulations on intermediate certificates above and beyond what the Baseline Requirements require. Mozilla for example, requires the existance of any subordinate CA certificates to be disclosed publicly in section 5.3.2 of their Root Store Requirements:
All certificates that are capable of being used to issue new certificates, that are not technically constrained, and that directly or transitively chain to a certificate included in Mozilla’s root program MUST be audited in accordance with Mozilla’s Root Store Policy and MUST be publicly disclosed in the CCADB by the CA that has their certificate included in Mozilla’s root program. The CA with a certificate included in Mozilla’s root program MUST disclose this information within a week of certificate creation, and before any such subordinate CA is allowed to issue certificates. All disclosure MUST be made freely available and without additional requirements, including, but not limited to, registration, legal agreements, or restrictions on redistribution of the certificates in whole or in part.
Aside from that, I'm not aware of any further standards regulating the use of intermediate certificates.
-
i mean imagine a country that implements its PKI basement and with one root CA wants to have some subordinate. these subordinates should issue certificate for demands, but how is determined the criteria of application of subordinates or number of thm? for example one subordinate that issue certificate for health care application. maybe another subordinate issue for transportation and etc. i want to know haw many is needed. is there any standard like iso or PKCS?Does it depend on the need of each country? – e.re Mar 17 '18 at 09:03
-
@e.re No. If you're setting up your own PKI that's not publicly trusted then you can do whatever you want with your intermediate CAs. – Ajedi32 Mar 17 '18 at 15:27
-
that's right dear Ajedi32 but i want to research on this subject for an official PKI for specific country. – e.re Mar 18 '18 at 06:52
1
Check out the Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates. What, in part, is this document about?
The scope of these Requirements includes all “Code Signing Certificates”, as defined below, and associated Timestamp Authorities, and all Certification Authorities technically capable of issuing Code Signing Certificates, including any Root CA that is publicly trusted for code signing and all other CAs that might serve to complete the validation path to such Root CA (emphasis mine).
Hopefully this has what you're looking for, or is at least a step in the right direction.