[x500standard] Re: Certificate definitions

  • From: "Denis Pinkas"<denis.pinkas@xxxxxxxx>
  • To: "x500 list"<x500standard@xxxxxxxxxxxxx>, "ietf-pkix"<ietf-pkix@xxxxxxx>
  • Date: Fri, 3 Apr 2009 17:33:01 +0200

Eric,

Silence does not mean approval.

It may mean that the corrections are so numerous that it would take too long to 
respond
and that people do not have that time available at the moment.

e.g.:  an End-entity attribute certificate is not linked to a public-key 
certificate.
         a cross-certificate is not linked to an AA certificate.
         an Authority Certificate is not linked to an Attribute Certificate.

This is only a start ...

Denis
----- Message reçu ----- 
De : owner-ietf-pkix 
À : x500standard,'PKIX' 
Date : 2009-04-03, 17:00:01
Sujet : RE: [x500standard] Certificate definitions


I take silence as approval.

Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@xxxxxxx
www.x500.eu
www.x500standard.com

-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx 
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: 1. april 2009 14:40
To: Directory list; PKIX
Subject: [x500standard] Certificate definitions

Hi

I got a number of responses on user certificates, but quite little that 
actually answered my question.

I have tried to dig a little bit more in X.509 to get hold of the terminology 
and then produced below figure. I will not comment all the boxes.



I will like you to comments as to the correctness of above figure.

The end-entity certificate is not defined in the definition clause. However it 
is used widely in the main text. It is mentioned the first time in clause 7 as 
a public-key certificate. There are several other places where it is a 
public-key certificate. In 15.5.2.4 is used in the context of attribute 
certificates. The conclusion must be that an end-entity certificate can either 
be a end-entity public-key certificate or an end-entity attribute certificate. 
However, in most places, it is implied that we only talks about public-key 
certificates. For veterans, this is not a major problem, but new-comers may get 
confused. Anyway, I thing our specifications should be clear and not subject to 
interpretation. RFC 5280 does not use the term at all. It seems just to use the 
term ?certificate? as a synonym for ?end-entrity public key certificate?.

The ?User Certificate?  is not defined in X.509, but is wide used. It seems to 
be a synonym for ?end-entrity public key certificate?. It is also used in 
X.511. RFC 5280 uses the term once without differenting it from just 
?certificate?.

The term ?cross-certificate? should probably also be qualified.

I suggest to add in X.509 definitions for:

?end-entity public-key certificate?
?user certictate? as a synonym for ?end-entity public-key certificate?
?end-entity attrubute certificate?

The X.509 text should be updated to make use of these definitions.

X.509 has four attribute types for holding certificates.

UserCertificate: For end-entity public-key certificates
cAcertificate: For CA certificates
attributeCertificateAttribute: For end-entity attrubute certificates
aACertificate: For AA Certificates

Any comments?

Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@xxxxxxx
www.x500.eu
www.x500standard.com

GIF image

Other related posts: