RSA didn't set up a residential CA; it set up a residential PCA --- and
there's a world of difference between the two.
--
This certainly does not appear to be the case. Unaffiliated User
Certification Authority is certified under Commercial Certification
Authority. The only indications I have received are that Commercial
CA will become a PCA. Someone from RSA can feel free to correct me.
TIS Residential CA is in a similar situation (but with TIS PCA of course).
Again, someone from TIS may correct me if I am mistaken.
If the intent is to have these 2 residential CAs be PCAs and the current
hierarchy is merely cross-certification by PCAs, then fine by me.
But I do not believe this to be the case.
Ali Bahreman expressed some doubts as to whether there is a subordination
requirement on users. I refer paragraph 6 of section 3.4.2.2 of RFC 1422:
"In general, CAs are expected to sign certificates only if the subject DN in
the certificate is subordinate to the issuer (CA) DN.... CAs may sign
certificates which do not comply with this requirement if the certificates
are 'cross-certificates' or 'reverse certificates' used with applications
other than PEM." Clearly, this does not include RSA's UUCA nor TIS' RCA.
At this point, I am tempted to remove the DN subordination requirement
when checking certificates at this point...
-Ray