Hi Christina,
The following questions emerged in recent discussions and work on
sub-CAs. Your responses will be helpful in working out what work is
needed, and when.
*OCSP signing*
Currently sub-CAs sign OCSP responses with the CA signing
certificate, rather than using the CA cert to sign an OCSP signing
cert and delegating OCSP signing to it.
Question : do you expect customers who use sub-CAs will want to be
able to choose whether sub-CAs have OCSP signing delegate? If so,
how fine-grained should the control be (instance-wide config,
per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
signing directly by CA acceptable for initial release of sub-CAs)?
*Sub-CA DNs*
There is currently no check that a sub-CA's DN is unique.
Question : should we enforce CA DN uniqueness within the Dogtag
instance?
*Sub-CA certificate profile*
Currently sub-CA certificates are created using the `caCert' profile
(the same profile that is used for the self-signed root
certificate).
Question : how much control over aspects of the sub-CA certificates
will customers need or want? (e.g. validity period,
pathLenConstraint, nonstandard extensions, etc). Is using the
`caCert' profile defaults fine for the initial release?
Look forward to your input.
Cheers,
Fraser