[x500standard] Re: Updating X.509 - developing countries (was: Forward and Reverse Certification Path)
- From: Santosh Chokhani <SChokhani@xxxxxxxxxxxx>
- To: "x500standard@xxxxxxxxxxxxx" <x500standard@xxxxxxxxxxxxx>, SG17-Q11 <t09sg17q11@xxxxxxxxxxxxx>
- Date: Wed, 5 Oct 2011 12:35:57 -0400
How about some tutorial material and why part of it?
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: Wednesday, October 05, 2011 12:14 PM
To: x500standard@xxxxxxxxxxxxx; SG17-Q11
Subject: [x500standard] Updating X.509 - developing countries (was: Forward and
Reverse Certification Path)
The X.509 has taken six feverish editions rather than six days and the
result is good, but not good enough, so we cannot rest on the seventh
edition. I am afraid it takes more than seven days and nights of feverish
typing to get a very good seventh edition. There is probably no help from a
higher power.
There has been no new requirements on X.509, so the current exercise is to
improve the clearness and readability. So-called developing countries (some
are getting quite advanced) starts thinking in PKI. X.509 is not easy to
read. It has internal contradictions, concepts are used before introduced,
some early misunderstanding are still present, some aspects are not
specified clearly, etc. (Making sense out of more than 30 different PKIX
specifications is not easy either).
What we cannot do to X.509:
1. We cannot change the technical content.
2. We cannot change or delete ASN.1 specification.
What we can do:
1. Clarify definitions
2. Correct clear mistakes possibly using the Defect Report path
3. Move text around to get a more logical flow,
4. Add additional clarification text.
5. Etc.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik
-----Oprindelig meddelelse-----
Fra: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af Kemp, David P.
Sendt: 3. oktober 2011 15:41
Til: Directory list
Emne: [x500standard] Re: Forward and Reverse Certification Path
This definition is a model of clarity:
"PkiPath :: SEQUENCE OF Certificate
PkiPath is used to represent a certification path. Within the
sequence,
the order of certificates is such that the subject of the first
certificate
is the issuer of the second certificate, etc."
This definition is mush:
Certificates ::= SEQUENCE {
userCertificate Certificate,
certificationPath CertPath OPTIONAL }
"In addition, the following ASN.1 data type can be used to represent
the
forward certification path. This component contains the
certification
path which can point back to the originator."
CertPath ::= SEQUENCE OF CrossCertificates
CrossCertificates ::= SET OF Certificate
(What does "point back to the originator" mean? And who is the
"originator" anyway - a higher power who created the original
X.509 in 7 days and 7 nights of fevered typing? The subject
of the userCertificate who is performing path construction prior
to sending a message? How are the multiple Certificate objects
in the CrossCertificates SET related to each other, and to other
Certificates in the CertPath? How large can the SET be?)
The CertificationPath ASN.1 definition expresses its meaning clearly:
"A user may obtain one or more certificates from one or more
Certification
Authorities. Each certificate bears the name of the Certification
Authority
Which issued it. The following ASN.1 data types can be used to
represent
Certificates and a certification path:
CertificationPath ::= SEQUENCE {
userCertificate Certificate,
theCACertificates SEQUENCE OF CertificatePair OPTIONAL }
CertificatePair ::= SEQUENCE {
issuedToThisCA [0] Certificate OPTIONAL,
issuedByThisCA [1] Certificate OPTIONAL
And finally, the non-ASN.1 definition of certification path says nothing
about forward or reverse:
"A certification path from A to B
- starts with a certificate produced by CA(A)
- continues with further certificates
- ends with the certificate of B
So which of the four existing definitions (A to B, CertificationPath,
Certificates, or PkiPath) are you proposing to augment with a definition
going in the opposite direction? And what is the purpose of the
additional definition? Using PkiPath as an example, I see no benefit to
defining a new structure ReversePkiPath consisting of the identical
certificates but placed in the SEQUENCE in the opposite order.
Dave
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: Monday, October 03, 2011 8:11 AM
To: Directory list
Subject: [x500standard] Forward and Reverse Certification Path
A certification path is currently defined a going from the end-entity
toward the trust anchor. I would be convenient to defined a forward
certification path equivalent to a certification path and a reverse
communication path going from the a CA-certificate signed by the trust
anchor down to the end-entity public-key certificate.
Any comments?
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik
<http://dk.linkedin.com/in/andersenerik>
-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
