[x500standard] Re: Trust anchor information
- From: David Wilson <David.Wilson@xxxxxxxxx>
- To: x500standard@xxxxxxxxxxxxx
- Date: Mon, 07 Apr 2014 13:03:58 +0100
On Mon, 2014-04-07 at 13:29 +0200, Erik Andersen wrote:
> What is the term for the entity that signs the first CA-certificate in
> a certification path? It cannot be a trust anchor in your definition.
> In your term it something in a relying party trust anchor store. Such
> a trust anchor cannot sign anything.
I agree with a trust anchor being "something in a relying party trust
anchor store". Such a store contains public keys which I trust, with
identifying information. Such keys enable one to trust objects which
have been signed using the private key corresponding to the trusted
public key. Operationally, that's how it works.
The term "anchor" does seem to imply that it is "at the end of a chain",
i.e. such a public key is only part of a certificate-signing key-pair.
However, I can see that there may be occasions when one wants to be able
to specify trust of a key which is not a certificate signing key, i.e. a
key outside of a formal PKI.
cheers
David
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
