Santosh Chokhani wrote:
Santosh, RFC 5280 says that "Cross-certificates are CA certificates in which the issuer and subject are different entities." X.509 defines a cross-certificate as "A public-key or attribute certificate where the issuer and the subject/holder are different CAs or AAs respectively. CAs and AAs issue cross-certificates to other CAs or AAs respectively as a mechanism to authorize the subject CA's existence (e.g., in a strict hierarchy) or to recognize the existence of the subject CA or holder AA (e.g., in a distributed trust model). The cross-certificate structure is used for both of these." So, every CA certificate is either self-issued or a cross-certificate. I know that a lot of people seem to think that a certificate issued in a hierarchy by a hierarchically superior CA to a subordinate CA is not a "cross-certificate", that belief is not consistent with either X.509 or RFC 5280. (Perhaps people are simply guessing the meaning of "cross-certificate", and the inclusion of "cross" in the name leads them to guess that the term does not incorporate certificates issued to subordinate CAs.) If documents are being created that use the term "cross-certificate" to mean only CA certificates that are neither self-issued nor issued to a subordinate CA, then they are creating confusion by misusing the term. Dave ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. |
