I have observed the practice of creating dedicated issuer CAs for signing TSU (Time Stamping Unit) certificates instead of just using another existing issuer CA, for example for signing S / MIME certificates or SSL certificates is used.
Here are some examples of the certification paths I found in the area:
- CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- CN=TIMESTAMP-SHA256-2019-10-15,O=DigiCert, Inc.,C=US
- CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
- CN=AC Camerfirma TSA CA,O=AC Camerfirma SA,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),emailAddressfirstname.lastname@example.org,C=ES
- CN=Certificado TSU GSD,O=GSD SAC,L=Lima,emailAddressemail@example.com,C=PE
- CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
- CN=AC Camerfirma Portugal - 2015,L=Madrid (see current address at www.camerfirma.com/address),serialNumber=A82743287,O=AC Camerfirma S.A.,C=ES
- CN=DigitalSign Primary CA,L=Guimaraes (see current address at www.digitalsign.pt),serialNumber=PT507015851,O=DigitalSign Certificadora Digital,C=PT
- CN=DigitalSign TSA CA,O=DigitalSign Certificadora Digital,L=Guimaraes (see current address at www.digitalsign.pt),C=PT,serialNumber=PT507015851
- CN=SigningHub Timestamping Service,OU=SigningHub Cloud Service,O=Ascertia Ltd,C=GB
Where, in all of these cases, you can find that the name of the issuing certification authority indicates that it is intended for signing TSU certificates.
Now I see a valid point for this practice in https://security.stackexchange.com/a/109134/10247, where it says:
You can differentiate by using different intermediate certification bodies
Issuer's end entity certificates. It makes it possible
Create trust rules that restrict the use of certificates based on the rules
But it doesn't seem to me to be justified in this case.
So do you have another reason that could justify creating a dedicated issuer CA just for signing TSU certificates?