[x500standard] Re: Certificate definitions

• From: "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>
• To: <x500standard@xxxxxxxxxxxxx>
• Date: Thu, 9 Apr 2009 12:16:21 -0400

David,
 
We agree.  That is why my parenthetical remark.


________________________________

        From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David A. Cooper
        Sent: Thursday, April 09, 2009 12:09 PM
        To: x500standard@xxxxxxxxxxxxx
        Cc: ietf-pkix
        Subject: [x500standard] Re: Certificate definitions
        
        
        Santosh Chokhani wrote: 

                        [Santosh]: The above paragraph has two
inaccuracies.  Since not all CA certificates are called cross
certificates, set of CA certificates are self-issued, cross certificate,
and subordinate CA certificates.  (I wish we had not distinguished
between cross certificates and subordinate CA certificates in the first
place).  Also note that a cross certificate can not be attribute
certificate.  I don't see an AA cross certificate in RFC 3281 or in
X.509
                        


        Santosh,
        
        RFC 5280 says that "Cross-certificates are CA certificates in
which the issuer and subject are different entities."
        
        X.509 defines a cross-certificate as "A public-key or attribute
certificate where the issuer and the subject/holder are different CAs or
AAs respectively. CAs and AAs issue cross-certificates to other CAs or
AAs respectively as a mechanism to authorize the subject CA's existence
(e.g., in a strict hierarchy) or to recognize the existence of the
subject CA or holder AA (e.g., in a distributed trust model). The
cross-certificate structure is used for both of these."
        
        So, every CA certificate is either self-issued or a
cross-certificate.
        
        I know that a lot of people seem to think that a certificate
issued in a hierarchy by a hierarchically superior CA to a subordinate
CA is not a "cross-certificate", that belief is not consistent with
either X.509 or RFC 5280.  (Perhaps people are simply guessing the
meaning of "cross-certificate", and the inclusion of "cross" in the name
leads them to guess that the term does not incorporate certificates
issued to subordinate CAs.)   If documents are being created that use
the term "cross-certificate" to mean only CA certificates that are
neither self-issued nor issued to a subordinate CA, then they are
creating confusion by misusing the term.
        
        Dave
        
        ----- www.x500standard.com: The central source for information
on the X.500 Directory Standard. 

• References:
  • [x500standard] Re: Certificate definitions
    • From: Denis Pinkas
  • [x500standard] Re: Certificate definitions
    • From: Erik Andersen
  • [x500standard] Re: Certificate definitions
    • From: Santosh Chokhani
  • [x500standard] Re: Certificate definitions
    • From: David A. Cooper

Other related posts:

• » [x500standard] Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Jean-Paul LEMAIRE
• » [x500standard] Re: Certificate definitions- Denis Pinkas
• » [x500standard] Re: Certificate definitions- Jean-Paul LEMAIRE
• » [x500standard] Re: Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Erik Andersen
• » [x500standard] Re: Certificate definitions- Santosh Chokhani
• » [x500standard] Re: Certificate definitions- David A. Cooper
• » [x500standard] Re: Certificate definitions - Santosh Chokhani

1. Home
2. x500standard
3. Archive
4. 04-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---