[x500standard] Re: Certificate definitions
- From: "Erik Andersen" <era@xxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>, "'PKIX'" <ietf-pkix@xxxxxxx>
- Date: Fri, 3 Apr 2009 17:00:01 +0200
I take silence as approval.
Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@xxxxxxx
www.x500.eu
www.x500standard.com
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: 1. april 2009 14:40
To: Directory list; PKIX
Subject: [x500standard] Certificate definitions
Hi
I got a number of responses on user certificates, but quite little that
actually answered my question.
I have tried to dig a little bit more in X.509 to get hold of the
terminology and then produced below figure. I will not comment all the
boxes.
I will like you to comments as to the correctness of above figure.
The end-entity certificate is not defined in the definition clause. However
it is used widely in the main text. It is mentioned the first time in clause
7 as a public-key certificate. There are several other places where it is a
public-key certificate. In 15.5.2.4 is used in the context of attribute
certificates. The conclusion must be that an end-entity certificate can
either be a end-entity public-key certificate or an end-entity attribute
certificate. However, in most places, it is implied that we only talks about
public-key certificates. For veterans, this is not a major problem, but
new-comers may get confused. Anyway, I thing our specifications should be
clear and not subject to interpretation. RFC 5280 does not use the term at
all. It seems just to use the term "certificate" as a synonym for
"end-entrity public key certificate".
The "User Certificate" is not defined in X.509, but is wide used. It seems
to be a synonym for "end-entrity public key certificate". It is also used in
X.511. RFC 5280 uses the term once without differenting it from just
"certificate".
The term "cross-certificate" should probably also be qualified.
I suggest to add in X.509 definitions for:
"end-entity public-key certificate"
"user certictate" as a synonym for "end-entity public-key certificate"
"end-entity attrubute certificate"
The X.509 text should be updated to make use of these definitions.
X.509 has four attribute types for holding certificates.
UserCertificate: For end-entity public-key certificates
cAcertificate: For CA certificates
attributeCertificateAttribute: For end-entity attrubute certificates
aACertificate: For AA Certificates
Any comments?
Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@xxxxxxx
www.x500.eu
www.x500standard.com
Other related posts: