Hi Denis, Thanks for your comments. I understand that you believe that trust anchor storage shall not be mentioned in X.509 at all. X.509 is not that well structured, as it has been written by different people at different times during a period where concepts and terms were being developed. As an example, the term trust anchor is used with any previous introduction. An innocent reader does not necessarily know what a trust anchor is. Following your proposal, the term trust anchor would still be used without any introduction. The proposed subclause is intended to be just before a subclause introducing the concept of certification path. Some of your proposed text fits nicely in here. It was important to me to emphasise that a trust anchor is some trusted entity by a relying party and not necessarily trusted by the end-entity. New player from new countries are coming into the PKI area. X.509 should be written in such a way that it is understandable for newcomers. Many PKI specifications can only be understood by those that are already (so-called) expert. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik <http://www.x500.eu/> http://www.x500.eu/ <http://www.x500standard.com/> http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik Fra: denis.pinkas@xxxxxxxx [mailto:denis.pinkas@xxxxxxxx] Sendt: 15. juli 2011 11:41 Til: Erik Andersen Cc: PKIX Emne: RE: [pkix] Trust anchors Erik, You are walking on a field of mines. Nevertheless, it is good to have a ball rolling. Since, I don't like the proposal, I will explain shortly why and will attach a counter proposal. The first sentence is meaningless for me: "A trust anchor is an entity that is trusted by a certificate-using system supporting a relying party". The second sentence introduces the concept of "trust anchor store". This concept originally introduced in the PKIX WG is too restrictive. I do know that several vendors have adopted a model where all CA are equally trusted, but this is far too restrictive and this should not be the general rule. Trust anchors may be grouped under a set of rules usually called a "validation policy" or a "signature policy". In a given set of rules there are trust anchors and, for each trust anchor, conditions that shall apply to every certificate of a to-be-tested certification path that ends to that trust anchor, like OIDs for certification policies, key usages, etc ... Trust anchors cannot be be simply grouped in "trust anchor stores", since different constraints may apply to every trust anchor. This is the reason why I have deleted the text related to the"trust anchor store". Denis De : "Erik Andersen" <era@xxxxxxx> A : "PKIX" <pkix@xxxxxxxx> Date : 14/07/2011 18:46 Objet : [pkix] Trust anchors Envoyé par : pkix-bounces@xxxxxxxx _____ To prove I am an optimist, I have produced a first draft for a subclause on trust anchors to be included in X.509. I will appreciate any constructive comment. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik <http://www.x500.eu/> http://www.x500.eu/ <http://www.x500standard.com/> http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik [pièce jointe "trust-anchor.pdf" supprimée par Denis PINKAS/FR/BULL] _______________________________________________ pkix mailing list pkix@xxxxxxxx <https://www.ietf.org/mailman/listinfo/pkix> https://www.ietf.org/mailman/listinfo/pkix