Questions about signing an intermediate CA

[Michael Wojcik]

> From: Michael Leone [mailto:turgon at mike-leone.com]
> Sent: Wednesday, February 12, 2020 12:35

> Even though I used what might be the wrong terms, I'm sure you knew what I meant ...

Sure. But PKIX, and X.509-based PKI more generally, are - not to mince words - horrible. They're agonizingly complicated and confusing, and arguably fundamentally broken in various respects. (See for example the issues raised by the infamous "The OSI of a New Generation" presentation.)

And here on the openssl-users list there are people with widely varying experience with and understanding of these matters; and the list is archived in various places, which means there's some chance someone will read these notes years from now. Many of those people don't have the time to become experts in PKI, and will want to be able to search for additional information based on what they see here.

So it's useful to try to be very precise in our terminology.

Often, for example, the cognoscenti will refer to a certificate's "purpose". That's an ambiguous term. In context it might refer to Basic Constraints, or Key Usage, or Extended Key Usage, or even the old Netscape Cert Type; it might refer to something inferred from other attributes (if Subject DN is the same as Issuer DN, then it's self-signed and possibly a root); or it might refer to something particular to its PKI or application, and not actually an attribute of the certificate at all. That's fine when we all understand what we're talking about. On the list, however, it's best to be explicit: "EKU should include TSL Web Server Authentication for this type of certificate" and so forth.

For some readers, using "CA" and "certificate" interchangeably could be very confusing.

So I'm not being pedantic just for its own sake (I can yell at the television for that). Apologies if it came across that way.

--
Michael Wojcik