[x500standard] Re: Certificate definitions

Erik,
 
See responses inline.


________________________________

        From: x500standard-bounce@xxxxxxxxxxxxx 
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
        Sent: Thursday, April 09, 2009 11:26 AM
        To: x500standard@xxxxxxxxxxxxx; 'ietf-pkix'
        Subject: [x500standard] Re: Certificate definitions
        
        

        Hi Denis,

         

        It is a little dangerous not to respond to my comments. Due to the 
apparent inactivity of people, I have the power to produce Defect Reports, 
produce Draft Technical Corrigenda, run them through both the ISO and ITU-T 
approval process and finally integrate them into the next edition of X.500 
(incl. X.509) without being stopped by anyone (except for Jean-Paul Lemaire).

         

        I believe you misunderstood my diagram. It may be a little confusing. 
Let me express myself without the diagram.

         

        The set of certificates is the union of the set of public-key 
certificates and the set of attribute certificates.

         

        The set of end-entity certificates is the union of public-key 
certificates issued to end-entities and the set of attribute certificates 
issued to end-entities. However, X.509 is a little confusing here as the term 
end-entity certificate is sometimes meant to be just public-key certificates 
issued to end-entities, so the term end-entity certificate has two meanings.

         

        The set of public-key certificates is the union of the set of 
end-entity (public-key) certificates and the set of CA certificates.

         

        The set of attribute certificates is the union of the set of end-entity 
(attribute) certificates and the set of AA certificates.

         

        The set of authority certificates is the union of the set CA 
certificates and the set of AA certificates.

         

        The set of CA certificates is the union of the set of self-issued 
(public-key) certificates and the set cross certificates. The latter is a 
little confusing, as a cross certificate can also be an attribute certificate. 

         

        [Santosh]: The above paragraph has two inaccuracies.  Since not all CA 
certificates are called cross certificates, set of CA certificates are 
self-issued, cross certificate, and subordinate CA certificates.  (I wish we 
had not distinguished between cross certificates and subordinate CA 
certificates in the first place).  Also note that a cross certificate can not 
be attribute certificate.  I don't see an AA cross certificate in RFC 3281 or 
in X.509

         

        I am avoiding here to use the term "user attribute", but believe it is 
supposed to mean a public-key certificate issued to an end-entity.

         

        Whenever an innocent reader sees the term "certificate", he/she is 
entitled to believe it can either be a public-key certificate. It may not 
always be clear from the context what is meant.

         

        Whenever an innocent us  reader see the term "end-entity certificate", 
he/she is entitled to believe it is either a public key certificate or an 
attribute certificate issued to an end-entity.

         

        Whenever an innocent us  reader see the term "cross-certificate", 
he/she is entitled to believe it is either a public key certificate or an 
attribute certificate. 

        [Santosh]: See prior comment. 

         

        My proposal was only to clear-up the terminology and to use the 
terminology consistent in the text of X.509. Trying to do the latter may raise 
a number of detailed questions when the meaning is not absolutely clear from 
the context.  

         

        Erik Andersen

        Andersen's L-Service

        Elsevej 48, DK-3500 Vaerloese

        Denmark

        Mobile: +45 2097 1490

        email: era@xxxxxxx

        www.x500.eu

        www.x500standard.com

         

        -----Original Message-----
        From: x500standard-bounce@xxxxxxxxxxxxx 
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Denis Pinkas
        Sent: 3. april 2009 17:33
        To: x500 list; ietf-pkix
        Subject: [x500standard] Re: Certificate definitions

         

        Eric,

         

        Silence does not mean approval.

         

        It may mean that the corrections are so numerous that it would take too 
long to respond

        and that people do not have that time available at the moment.

         

        e.g.:  an End-entity attribute certificate is not linked to a 
public-key certificate.

                 a cross-certificate is not linked to an AA certificate.

                 an Authority Certificate is not linked to an Attribute 
Certificate.

         

        This is only a start ...

         

        Denis

                ----- Message reçu ----- 

                De : owner-ietf-pkix 

                À : x500standard,'PKIX' 

                Date : 2009-04-03, 17:00:01

                Sujet : RE: [x500standard] Certificate definitions

                 

                I take silence as approval.

                 

                Erik Andersen

                Andersen's L-Service

                Elsevej 48, DK-3500 Vaerloese

                Denmark

                Mobile: +45 2097 1490

                email: era@xxxxxxx

                www.x500.eu

                www.x500standard.com

                 

                -----Original Message-----
                From: x500standard-bounce@xxxxxxxxxxxxx 
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
                Sent: 1. april 2009 14:40
                To: Directory list; PKIX
                Subject: [x500standard] Certificate definitions

                 

                Hi

                 

                I got a number of responses on user certificates, but quite 
little that actually answered my question.

                 

                I have tried to dig a little bit more in X.509 to get hold of 
the terminology and then produced below figure. I will not comment all the 
boxes.

                 

                 

                 

                I will like you to comments as to the correctness of above 
figure.

                 

                The end-entity certificate is not defined in the definition 
clause. However it is used widely in the main text. It is mentioned the first 
time in clause 7 as a public-key certificate. There are several other places 
where it is a public-key certificate. In 15.5.2.4 is used in the context of 
attribute certificates. The conclusion must be that an end-entity certificate 
can either be a end-entity public-key certificate or an end-entity attribute 
certificate. However, in most places, it is implied that we only talks about 
public-key certificates. For veterans, this is not a major problem, but 
new-comers may get confused. Anyway, I thing our specifications should be clear 
and not subject to interpretation. RFC 5280 does not use the term at all. It 
seems just to use the term "certificate" as a synonym for "end-entrity public 
key certificate".

                 

                The "User Certificate"  is not defined in X.509, but is wide 
used. It seems to be a synonym for "end-entrity public key certificate". It is 
also used in X.511. RFC 5280 uses the term once without differenting it from 
just "certificate".

                 

                The term "cross-certificate" should probably also be qualified.

                 

                I suggest to add in X.509 definitions for:

                 

                "end-entity public-key certificate"

                "user certificate" as a synonym for "end-entity public-key 
certificate"

                "end-entity attribute certificate"

                 

                The X.509 text should be updated to make use of these 
definitions.

                 

                X.509 has four attribute types for holding certificates.

                 

                UserCertificate: For end-entity public-key certificates

                cAcertificate: For CA certificates

                attributeCertificateAttribute: For end-entity attribute 
certificates

                aACertificate: For AA Certificates

                 

                Any comments?

                 

                Erik Andersen

                Andersen's L-Service

                Elsevej 48, DK-3500 Vaerloese

                Denmark

                Mobile: +45 2097 1490

                email: era@xxxxxxx

                www.x500.eu

                www.x500standard.com

                 

GIF image

Other related posts: