[x500standard] Re: Certificate definitions

  • From: "Jean-Paul LEMAIRE" <jean-paul.lemaire@xxxxxxxxxxxxxxxxxxxxx>
  • To: x500standard@xxxxxxxxxxxxx
  • Date: Fri, 03 Apr 2009 17:30:03 +0200

Erik,
It seems to be OK. I'll plan to review this more precisely during the week-end. 

Best regards,

Jean-Paul.


I take silence as approval.



Erik Andersen

Andersen's L-Service

Elsevej 48, DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

email: era@xxxxxxx

www.x500.eu

www.x500standard.com



-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen 
Sent: 1. april 2009 14:40
To: Directory list; PKIX
Subject: [x500standard] Certificate definitions



Hi
I got a number of responses on user certificates, but quite little that 
actually answered my question.



I have tried to dig a little bit more in X.509 to get hold of the
terminology and then produced below figure. I will not comment all the 
boxes.







I will like you to comments as to the correctness of above figure.
The end-entity certificate is not defined in the definition clause. However it is used widely in the main text. It is mentioned the first time in clause 7 as a public-key certificate. There are several other places where it is a public-key certificate. In 15.5.2.4 is used in the context of attribute certificates. The conclusion must be that an end-entity certificate can either be a end-entity public-key certificate or an end-entity attribute certificate. However, in most places, it is implied that we only talks about public-key certificates. For veterans, this is not a major problem, but new-comers may get confused. Anyway, I thing our specifications should be clear and not subject to interpretation. RFC 5280 does not use the term at 
all. It seems just to use the term "certificate" as a synonym for
"end-entrity public key certificate".
The "User Certificate" is not defined in X.509, but is wide used. It seems to be a synonym for "end-entrity public key certificate". It is also used in 
X.511. RFC 5280 uses the term once without differenting it from just
"certificate".



The term "cross-certificate" should probably also be qualified.



I suggest to add in X.509 definitions for:



"end-entity public-key certificate"
"user certictate" as a synonym for "end-entity public-key certificate" 

"end-entity attrubute certificate"



The X.509 text should be updated to make use of these definitions.



X.509 has four attribute types for holding certificates.



UserCertificate: For end-entity public-key certificates

cAcertificate: For CA certificates

attributeCertificateAttribute: For end-entity attrubute certificates

aACertificate: For AA Certificates



Any comments?



Erik Andersen

Andersen's L-Service

Elsevej 48, DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

email: era@xxxxxxx

www.x500.eu

www.x500standard.com





-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

Other related posts:

  1. Home
  2. x500standard
  3. Archive
  4. 04-2009