Question on repurposing PublicCAs to PrivateCAs

[Arabella Barks]

Yo! mortals

I noticed that DigiCert (after Symantec PKI acquisition) utilized the legacy VeriSign root to facilitate Private PKI. Specifically, they issued a cross-sign root CA for private CA use that chains back to the legacy roots.

You can see the details here: [Private SSL Cross Root Intermediate CA Certificate | CertCentral](https://knowledge.digicert.com/alerts/private-ssl-cross-root-intermediate-ca-certificate-certcentral), historic public-trusted CA involved including:

C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority

C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network

The Core Issue: some legacy devices and older OS still retain the trust for these legacy roots.

This means that certificates issued by this "Private" CA will be implicitly trusted by these legacy environments. Effectively, this allows a Private CA to inherit public trust on older platforms without necessarily adhering to public trust standards (such as Baseline Requirements or Certificate Transparency). This poses a significant security threat to users on older infrastructure. It effectively creates a "shadow" partial-public-trusted PKI that bypasses modern compliance checks.

No matter how niche the legacy device market shares is, we cannot let it become a security blind spot. I strongly urge the CA/B industries to prohibit such the repurposes of using Public CAs for Private CA purposes(even it is retired or untrusted).

Looking forward to hearing your thoughts.

Wish yo all good fortune!