Erik,It seems to be OK. I'll plan to review this more precisely during the week-end.
Best regards, Jean-Paul.
I take silence as approval. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 email: era@xxxxxxx www.x500.eu www.x500standard.com -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik AndersenSent: 1. april 2009 14:40 To: Directory list; PKIX Subject: [x500standard] Certificate definitions HiI got a number of responses on user certificates, but quite little thatactually answered my question. I have tried to dig a little bit more in X.509 to get hold of theterminology and then produced below figure. I will not comment all theboxes. I will like you to comments as to the correctness of above figure.The end-entity certificate is not defined in the definition clause. However it is used widely in the main text. It is mentioned the first time in clause 7 as a public-key certificate. There are several other places where it is a public-key certificate. In 15.5.2.4 is used in the context of attribute certificates. The conclusion must be that an end-entity certificate can either be a end-entity public-key certificate or an end-entity attribute certificate. However, in most places, it is implied that we only talks about public-key certificates. For veterans, this is not a major problem, but new-comers may get confused. Anyway, I thing our specifications should be clear and not subject to interpretation. RFC 5280 does not use the term atall. It seems just to use the term "certificate" as a synonym for "end-entrity public key certificate".The "User Certificate" is not defined in X.509, but is wide used. It seems to be a synonym for "end-entrity public key certificate". It is also used inX.511. RFC 5280 uses the term once without differenting it from just "certificate". The term "cross-certificate" should probably also be qualified. I suggest to add in X.509 definitions for: "end-entity public-key certificate""user certictate" as a synonym for "end-entity public-key certificate""end-entity attrubute certificate" The X.509 text should be updated to make use of these definitions. X.509 has four attribute types for holding certificates. UserCertificate: For end-entity public-key certificates cAcertificate: For CA certificates attributeCertificateAttribute: For end-entity attrubute certificates aACertificate: For AA Certificates Any comments? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 email: era@xxxxxxx www.x500.eu www.x500standard.com
----- www.x500standard.com: The central source for information on the X.500 Directory Standard.