[Pki-devel] assorted sub-CA use case questions

Christina Fu cfu at redhat.com
Thu Apr 2 17:28:12 UTC 2015

Hi Fraser,

please see my response in-line ...


On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
> Hi Christina,
> The following questions emerged in recent discussions and work on
> sub-CAs.  Your responses will be helpful in working out what work is
> needed, and when.
> *OCSP signing*
> Currently sub-CAs sign OCSP responses with the CA signing
> certificate, rather than using the CA cert to sign an OCSP signing
> cert and delegating OCSP signing to it.
> Question : do you expect customers who use sub-CAs will want to be
> able to choose whether sub-CAs have OCSP signing delegate?  If so,
> how fine-grained should the control be (instance-wide config,
> per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
> signing directly by CA acceptable for initial release of sub-CAs)?
In general, I don't think people are aware nor do they care who signs 
what as long as it works.  However, if we want to make a default choice 
for them, I think it's best if we make the right one.  For a secure 
site, I'd choose to have a separate OCSP responder with a separate ocsp 
signing cert, as the administrator of the ocsp response system would not 
need to have access to the CA's signing keys.  The separate ocsp signing 
cert would also allow to be given a shorter validity period than that of 
the CA.

If your target customers don't really care much about the above then 
technically, I don't see any issue -- the clients should work as long as 
your ocsp signing cert is valid.

> *Sub-CA DNs*
> There is currently no check that a sub-CA's DN is unique.
> Question : should we enforce CA DN uniqueness within the Dogtag
> instance?
yes. there exists an UniqueSubjectNameConstraint that can be used for 
this purpose.

> *Sub-CA certificate profile*
> Currently sub-CA certificates are created using the `caCert' profile
> (the same profile that is used for the self-signed root
> certificate).
> Question : how much control over aspects of the sub-CA certificates
> will customers need or want?  (e.g. validity period,
> pathLenConstraint, nonstandard extensions, etc).  Is using the
> `caCert' profile defaults fine for the initial release?

I think it's fine.  As long as we provide the flexibility, they can 
always create new ones if they see fit.

> Look forward to your input.
> Cheers,
> Fraser

More information about the Pki-devel mailing list