Reasons for implementing intermediate code signing certificate root
Reasons for implementing an Intermediate Certificate in the Code Signing Certificate chain
The business case for Thawte changing the way we sign Code Signing Certificates, is because we are moving towards best practices for Certification Authorities (CA). The root certificates for CA's are kept very safe and for obvious reasons the compromise of these keys is something that we spend a lot of our resources on preventing from happening. We closely follow the stipulations in our CPS which you can download at the following page: http://www.thawte.com/cps/index.html
One of the requirements for good key management is to limit the compromise of a key to as small a group as possible, and by introducing the Intermediate Certificate this is possible. If the Intermediate Certificate should ever be compromised, then that certificate would be revoked. In the case of the Code Signing Intermediate certificate, this would mean that only the code signing customers would be affected. The SSL Web Server Certificate, Thawte SGC (Server Gated Cryptography SSL) SuperCert and Thawte SSL123 Certificates would not be affected as they are signed off different Intermediate and Root Certificates.
As it is our aim to follow best practices and our duty as a public company to do so, we will implement the use of intermediate certificates more in future.