On 30.05.23 14:26, Jochen Bern wrote:
1. The cert (or, for that matter, CSR) being *self* signed serves as
proof that the requesting party is in possession of the private key.
2. You want to sign info on the subject you verified, not someone else's
interpretation of the subject; e.g., a person's cert from a 3rd party
CA giving the OU as "FooBar E-Mail-Reply Verified Personal
Certificates" is unlikely to correctly state the dpt. the person
works in. (Assuming that you would want to copy *anything* beyond the
pubkey from the preexisting cert into the new one, of course.)
Hi Jochen,
While these points may be relevant in some environments, I don't think
of them as enough reason to completely forbid users from cross-signing
non-self-signed certificates.
Finally, this should be up to the user.
In our specific use case, it is us wanting to trust part of a third
party pki, but restrict this trust by cross-signing with a name
constraint. The third party may not be very interested in this ("simply
import our ca as is"), but we want to do it, because internal pkis are
not held to the same standard as public CAs which are bound by the
CA/Browser Forum Baseline requirements.
Best regards
Yannik
