[x500standard] Re: Certificate definitions

• From: "Erik Andersen" <era@xxxxxxx>
• To: "'Santosh Chokhani'" <SChokhani@xxxxxxxxxxxx>, <x500standard@xxxxxxxxxxxxx>, "'ietf-pkix'" <ietf-pkix@xxxxxxx>
• Date: Mon, 6 Apr 2009 17:40:34 +0200

Hi 

 

Thanks for all the comments so far. I know I was not clear enough. I am not
proposing to add the picture to X.509. I am not proposing any technical
changes, only to get a consistent terminology. The picture reflects my
understanding of interrelationship among different concepts as currently
expressed by X.509.

 

By doing this, I came to the same conclusion as expressed in Jean-Paul?s
comment, which I attach for the benefit of the PKIX list.

 

The only thing I am actually suggesting is to add definitions for
?end-entity public-key certificate? and for ?end-entity attribute
certificate? and possibly to get rid of the ?user certificate?.

 

Erik Andersen

Andersen's L-Service

Elsevej 48, DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

email: era@xxxxxxx

www.x500.eu

www.x500standard.com

 

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Santosh Chokhani
Sent: 3. april 2009 20:03
To: x500standard@xxxxxxxxxxxxx; ietf-pkix
Subject: RE: [x500standard] Re: Certificate definitions

 

I did not respond before because I am not quite sure what purpose this
diagram serves and why we need it.

 

I have also read Russ's post and I agree with Russ (and with Denis on one
point).  Unless some one views a PKC with SDA as an AC,  AA certificate is
not a cross certificate.

 

I disagree with Denis on two of his comments.  Good, bad or indifferent, the
diagram is saying that a PKC could be an Authority Certificate or an EE
certificate.  The diagram is correct.  The diagram says an attribute
certificate could be an authority certificate or an end entity certificate.
Again, the diagram is correct.

 

But, as I mentioned before, I lose forest for the trees here.  I know this
started with the userCertificate  directory attribute, but the diagram may
confuse people, may be misread, and without understanding why precisely we
need it, I do not see a need for it. 

  _____  

From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Denis Pinkas
Sent: Friday, April 03, 2009 11:33 AM
To: x500 list; ietf-pkix
Subject: [x500standard] Re: Certificate definitions

Eric,

 

Silence does not mean approval.

 

It may mean that the corrections are so numerous that it would take too long
to respond

and that people do not have that time available at the moment.

 

e.g.:  an End-entity attribute certificate is not linked to a public-key
certificate.

         a cross-certificate is not linked to an AA certificate.

         an Authority Certificate is not linked to an Attribute Certificate.

 

This is only a start ...

 

Denis

----- Message reçu ----- 

De : owner-ietf-pkix 

À : x500standard,'PKIX' 

Date : 2009-04-03, 17:00:01

Sujet : RE: [x500standard] Certificate definitions

 

I take silence as approval.

 

Erik Andersen

Andersen's L-Service

Elsevej 48, DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

email: era@xxxxxxx

www.x500.eu

www.x500standard.com

 

-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: 1. april 2009 14:40
To: Directory list; PKIX
Subject: [x500standard] Certificate definitions

 

Hi

 

I got a number of responses on user certificates, but quite little that
actually answered my question.

 

I have tried to dig a little bit more in X.509 to get hold of the
terminology and then produced below figure. I will not comment all the
boxes.

 



 

I will like you to comments as to the correctness of above figure.

 

The end-entity certificate is not defined in the definition clause. However
it is used widely in the main text. It is mentioned the first time in clause
7 as a public-key certificate. There are several other places where it is a
public-key certificate. In 15.5.2.4 is used in the context of attribute
certificates. The conclusion must be that an end-entity certificate can
either be a end-entity public-key certificate or an end-entity attribute
certificate. However, in most places, it is implied that we only talks about
public-key certificates. For veterans, this is not a major problem, but
new-comers may get confused. Anyway, I thing our specifications should be
clear and not subject to interpretation. RFC 5280 does not use the term at
all. It seems just to use the term ?certificate? as a synonym for
?end-entrity public key certificate?.

 

The ?User Certificate?  is not defined in X.509, but is wide used. It seems
to be a synonym for ?end-entrity public key certificate?. It is also used in
X.511. RFC 5280 uses the term once without differenting it from just
?certificate?.

 

The term ?cross-certificate? should probably also be qualified.

 

I suggest to add in X.509 definitions for:

 

?end-entity public-key certificate?

?user certictate? as a synonym for ?end-entity public-key certificate?

?end-entity attrubute certificate?

 

The X.509 text should be updated to make use of these definitions.

 

X.509 has four attribute types for holding certificates.

 

UserCertificate: For end-entity public-key certificates

cAcertificate: For CA certificates

attributeCertificateAttribute: For end-entity attrubute certificates

aACertificate: For AA Certificates

 

Any comments?

 

Erik Andersen

Andersen's L-Service

Elsevej 48, DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

email: era@xxxxxxx

www.x500.eu

www.x500standard.com

 

--- Begin Message ---

• From: "Jean-Paul LEMAIRE" <jean-paul.lemaire@xxxxxxxxxxxxxxxxxxxxx>
• To: <x500standard@xxxxxxxxxxxxx>
• Date: Mon, 6 Apr 2009 11:55:21 +0200

Hi Erik,

I have reviewed your text and I propose some changes.

Best regards,

Jean-Paul.

> I take silence as approval.
> 
> 
> 
> Erik Andersen
> 
> Andersen's L-Service
> 
> Elsevej 48, DK-3500 Vaerloese
> 
> Denmark
> 
> Mobile: +45 2097 1490
> 
> email: era@xxxxxxx
> 
> www.x500.eu
> 
> www.x500standard.com
> 
> 
> 
> -----Original Message-----
>From: x500standard-bounce@xxxxxxxxxxxxx
> [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik 
>Andersen
> Sent: 1. april 2009 14:40
> To: Directory list; PKIX
> Subject: [x500standard] Certificate definitions
> 
> 
> 
> Hi
> 
> 
> 
> I got a number of responses on user certificates, but quite little 
>that
> actually answered my question.
> 
> 
> 
> I have tried to dig a little bit more in X.509 to get hold of the
> terminology and then produced below figure. I will not comment all 
>the
> boxes.
> 
> 
> 
> 
> 
> 
> 
> I will like you to comments as to the correctness of above figure.
> 
> 
> 
> The end-entity certificate is not defined in the definition clause. 
>However
> it is used widely in the main text. It is mentioned the first time 
>in clause
> 7 as a public-key certificate. There are several other places where 
>it is a
> public-key certificate. In 15.5.2.4 is used in the context of 
>attribute
> certificates. The conclusion must be that an end-entity certificate 
>can
> either be a end-entity public-key certificate or an end-entity 
>attribute
> certificate. However, in most places, it is implied that we only 
>talks about
> public-key certificates. For veterans, this is not a major problem, 
>but
> new-comers may get confused. Anyway, I thing our specifications 
>should be
> clear and not subject to interpretation. RFC 5280 does not use the 
>term at
> all. It seems just to use the term "certificate" as a synonym for
> "end-entrity public key certificate".
> 
> 
> 
> The "User Certificate"  is not defined in X.509, but is wide used. 
>It seems
> to be a synonym for "end-entrity public key certificate". It is also 
>used in
> X.511. RFC 5280 uses the term once without differenting it from just
> "certificate".
> 
> 
> 
> The term "cross-certificate" should probably also be qualified.
> 
> 
> 
> I suggest to add in X.509 definitions for:
> 
> 
> 
> "end-entity public-key certificate"
> 
> "user certictate" as a synonym for "end-entity public-key 
>certificate"
> 
> "end-entity attrubute certificate"
> 
> 
> 
> The X.509 text should be updated to make use of these definitions.
> 
> 
> 
> X.509 has four attribute types for holding certificates.
> 
> 
> 
> UserCertificate: For end-entity public-key certificates
> 
> cAcertificate: For CA certificates
> 
> attributeCertificateAttribute: For end-entity attrubute certificates
> 
> aACertificate: For AA Certificates
> 
> 
> 
> Any comments?
> 
> 
> 
> Erik Andersen
> 
> Andersen's L-Service
> 
> Elsevej 48, DK-3500 Vaerloese
> 
> Denmark
> 
> Mobile: +45 2097 1490
> 
> email: era@xxxxxxx
> 
> www.x500.eu
> 
> www.x500standard.com
> 
> 
> 

--- End Message ---

Other related posts:

• » [x500standard] Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Jean-Paul LEMAIRE
• » [x500standard] Re: Certificate definitions- Denis Pinkas
• » [x500standard] Re: Certificate definitions- Jean-Paul LEMAIRE
• » [x500standard] Re: Certificate definitions - Erik Andersen
• » [x500standard] Re: Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Santosh Chokhani
• » [x500standard] Re: Certificate definitions- David A. Cooper
• » [x500standard] Re: Certificate definitions- Santosh Chokhani

1. Home
2. x500standard
3. Archive
4. 04-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---