How about some tutorial material and why part of it? -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen Sent: Wednesday, October 05, 2011 12:14 PM To: x500standard@xxxxxxxxxxxxx; SG17-Q11 Subject: [x500standard] Updating X.509 - developing countries (was: Forward and Reverse Certification Path) The X.509 has taken six feverish editions rather than six days and the result is good, but not good enough, so we cannot rest on the seventh edition. I am afraid it takes more than seven days and nights of feverish typing to get a very good seventh edition. There is probably no help from a higher power. There has been no new requirements on X.509, so the current exercise is to improve the clearness and readability. So-called developing countries (some are getting quite advanced) starts thinking in PKI. X.509 is not easy to read. It has internal contradictions, concepts are used before introduced, some early misunderstanding are still present, some aspects are not specified clearly, etc. (Making sense out of more than 30 different PKIX specifications is not easy either). What we cannot do to X.509: 1. We cannot change the technical content. 2. We cannot change or delete ASN.1 specification. What we can do: 1. Clarify definitions 2. Correct clear mistakes possibly using the Defect Report path 3. Move text around to get a more logical flow, 4. Add additional clarification text. 5. Etc. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ http://dk.linkedin.com/in/andersenerik -----Oprindelig meddelelse----- Fra: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af Kemp, David P. Sendt: 3. oktober 2011 15:41 Til: Directory list Emne: [x500standard] Re: Forward and Reverse Certification Path This definition is a model of clarity: "PkiPath :: SEQUENCE OF Certificate PkiPath is used to represent a certification path. Within the sequence, the order of certificates is such that the subject of the first certificate is the issuer of the second certificate, etc." This definition is mush: Certificates ::= SEQUENCE { userCertificate Certificate, certificationPath CertPath OPTIONAL } "In addition, the following ASN.1 data type can be used to represent the forward certification path. This component contains the certification path which can point back to the originator." CertPath ::= SEQUENCE OF CrossCertificates CrossCertificates ::= SET OF Certificate (What does "point back to the originator" mean? And who is the "originator" anyway - a higher power who created the original X.509 in 7 days and 7 nights of fevered typing? The subject of the userCertificate who is performing path construction prior to sending a message? How are the multiple Certificate objects in the CrossCertificates SET related to each other, and to other Certificates in the CertPath? How large can the SET be?) The CertificationPath ASN.1 definition expresses its meaning clearly: "A user may obtain one or more certificates from one or more Certification Authorities. Each certificate bears the name of the Certification Authority Which issued it. The following ASN.1 data types can be used to represent Certificates and a certification path: CertificationPath ::= SEQUENCE { userCertificate Certificate, theCACertificates SEQUENCE OF CertificatePair OPTIONAL } CertificatePair ::= SEQUENCE { issuedToThisCA [0] Certificate OPTIONAL, issuedByThisCA [1] Certificate OPTIONAL And finally, the non-ASN.1 definition of certification path says nothing about forward or reverse: "A certification path from A to B - starts with a certificate produced by CA(A) - continues with further certificates - ends with the certificate of B So which of the four existing definitions (A to B, CertificationPath, Certificates, or PkiPath) are you proposing to augment with a definition going in the opposite direction? And what is the purpose of the additional definition? Using PkiPath as an example, I see no benefit to defining a new structure ReversePkiPath consisting of the identical certificates but placed in the SEQUENCE in the opposite order. Dave -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen Sent: Monday, October 03, 2011 8:11 AM To: Directory list Subject: [x500standard] Forward and Reverse Certification Path A certification path is currently defined a going from the end-entity toward the trust anchor. I would be convenient to defined a forward certification path equivalent to a certification path and a reverse communication path going from the a CA-certificate signed by the trust anchor down to the end-entity public-key certificate. Any comments? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ http://dk.linkedin.com/in/andersenerik <http://dk.linkedin.com/in/andersenerik> ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.