I take silence as approval. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 email: era@xxxxxxx www.x500.eu www.x500standard.com -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen Sent: 1. april 2009 14:40 To: Directory list; PKIX Subject: [x500standard] Certificate definitions Hi I got a number of responses on user certificates, but quite little that actually answered my question. I have tried to dig a little bit more in X.509 to get hold of the terminology and then produced below figure. I will not comment all the boxes. I will like you to comments as to the correctness of above figure. The end-entity certificate is not defined in the definition clause. However it is used widely in the main text. It is mentioned the first time in clause 7 as a public-key certificate. There are several other places where it is a public-key certificate. In 15.5.2.4 is used in the context of attribute certificates. The conclusion must be that an end-entity certificate can either be a end-entity public-key certificate or an end-entity attribute certificate. However, in most places, it is implied that we only talks about public-key certificates. For veterans, this is not a major problem, but new-comers may get confused. Anyway, I thing our specifications should be clear and not subject to interpretation. RFC 5280 does not use the term at all. It seems just to use the term "certificate" as a synonym for "end-entrity public key certificate". The "User Certificate" is not defined in X.509, but is wide used. It seems to be a synonym for "end-entrity public key certificate". It is also used in X.511. RFC 5280 uses the term once without differenting it from just "certificate". The term "cross-certificate" should probably also be qualified. I suggest to add in X.509 definitions for: "end-entity public-key certificate" "user certictate" as a synonym for "end-entity public-key certificate" "end-entity attrubute certificate" The X.509 text should be updated to make use of these definitions. X.509 has four attribute types for holding certificates. UserCertificate: For end-entity public-key certificates cAcertificate: For CA certificates attributeCertificateAttribute: For end-entity attrubute certificates aACertificate: For AA Certificates Any comments? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 email: era@xxxxxxx www.x500.eu www.x500standard.com