[x500standard] SV: [pkix] Unclear public-key certificate definition in X.509

• From: "Erik Andersen" <era@xxxxxxx>
• To: "'Stefan Santesson'" <stefan@xxxxxxxxxxx>, "'Tom Gindin'" <tgindin@xxxxxxxxxx>
• Date: Sat, 14 Jan 2012 11:30:26 +0100

Hi Stefan,

As a Swede, you should know how to spell my name. Just think of Eriks Plan
in Stockholm (people may not know, I have a plan) and your ancient kings
named Erik.

Personally, I have a problem with the notation technique in general. It is
used in 7.2 you are referring to and in 18.2, which is a somewhat misplaced
and confusing subclause.

In 7.2 it says the same as the ASN.1 to follow, so there is an unnecessary
duplication, where a reader needs to grasp two different notation techniques
to get the same thing twice.

My preference would be to delete table one, delete the first part of 7.2 and
to rewrite some of the stuff in clause 18 and more it to a more logical
place. 

Erik Andersen
Andersen's L-Service
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik


-----Oprindelig meddelelse-----
Fra: Stefan Santesson [mailto:stefan@xxxxxxxxxxx] 
Sendt: 9. januar 2012 06:44
Til: Erik Andersen; 'Tom Gindin'
Cc: 'PKIX'; 'Jean-Paul Lemaire'
Emne: Re: [pkix] Unclear public-key certificate definition in X.509

Eric,

I think you can solve the confusion with something more close to the
original and stay compliant with table 1 by choosing the term "NCA" for the
name of the CA. It would be more compatible to the chosen term "UCA"
for the unique identifier of the CA.

Using CA1 and CA(A) is just adding confusion and is not necessary to provide
the point of the text.

I would suggest:


Original text:

 Specifically, the certificate of a user with distinguished name A and
unique identifier UA, produced by the certification authority with name CA
and unique identifier UCA, has the following form:

CA<<A>> = CA{V,SN,AI,CA,UCA,A,UA,Ap,TA}



New text:

 Specifically, the public-key certificate of a user with distinguished name
A and unique identifier UA, produced by the CA with name NCA and and unique
identifier UCA, has the following form:


CA<<A>> = CA{V,SN,AI,NCA,A,Ap,UCA,UA,TA,Ex}



/Stefan



On 10-12-13 11:13 AM, "Erik Andersen" <era@xxxxxxx> wrote:

>Hi Tom,
>
>Any suggestion? If you have some ideas, how will affect Table 1 of X.509.
>The term CA(X) was introduced already in the first edition (1988). It 
>is nothing of my doing.
>
>Erik Andersen
>Andersen's L-Service
>Elsevej 48,
>DK-3500 Vaerloese
>Denmark
>Mobile: +45 2097 1490
>e-amail: era@xxxxxxx
>Skype: andersen-erik
>http://www.x500.eu/
>http://www.x500standard.com/
>http://dk.linkedin.com/in/andersenerik
>
>-----Oprindelig meddelelse-----
>Fra: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
>Sendt: 11. december 2010 00:16
>Til: Erik Andersen
>Cc: Jean-Paul Lemaire; 'PKIX'
>Emne: Re: SV: SV: [pkix] Unclear public-key certificate definition in
>X.509
>
>        Please use a different parameter name than A here.  The bracket 
>style is not the reason for the confusion.
>
>                Tom Gindin
>
>
>
>
>
>From:
>"Erik Andersen" <era@xxxxxxx>
>To:
>Tom Gindin/Watson/IBM@IBMUS
>Cc:
>"'PKIX'" <pkix@xxxxxxxx>, "Jean-Paul Lemaire"
><jean-paul.lemaire@xxxxxxxxxxxxxxxxxxxxx>
>Date:
>12/08/2010 10:12 AM
>Subject:
>SV: SV: [pkix] Unclear public-key certificate definition in X.509
>
>
>
>Hi Tom and others,
>
>I am finally back on this one. I agree with your last statement. What 
>do you think about writing CA[A] instead of CA(A)?
>
>Erik Andersen
>Andersen's L-Service
>Elsevej 48,
>DK-3500 Vaerloese
>Denmark
>Mobile: +45 2097 1490
>e-amail: era@xxxxxxx
>Skype: andersen-erik
>http://www.x500.eu/
>http://www.x500standard.com/
>http://dk.linkedin.com/in/andersenerik
>
>-----Oprindelig meddelelse-----
>Fra: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
>Sendt: 13. november 2010 01:38
>Til: Erik Andersen
>Cc: 'PKIX'
>Emne: Re: SV: [pkix] Unclear public-key certificate definition in X.509
>
>        It no longer has the problem which it had before.  Of course, 
>it's
>
>a little odd to describe a certificate as a function of specifically 
>the DN of the issuer, since the critical functional dependency is on the
>issuer's key pair.    My own wording would go: produced by a
>certification
>
>authority with the distinguished name CA1, unique identifier UCA1, and 
>key
>
>pair KCA1, has the following form: Cert<<A, CA1>> = KCA1 { your args }.
>The CA(A) expression just confuses me, because it suggests that the CA 
>is a function of the subject name.
>
>Tom Gindin
>
>
>
>
>
>From:
>"Erik Andersen" <era@xxxxxxx>
>To:
>Tom Gindin/Watson/IBM@IBMUS
>Cc:
>"'PKIX'" <pkix@xxxxxxxx>
>Date:
>11/12/2010 03:58 AM
>Subject:
>SV: [pkix] Unclear public-key certificate definition in X.509
>
>
>
>Hi Tom,
>
>Thanks for comments. I share your concern. I have updated the suggested 
>text. Please check.
>
>Erik Andersen
>Andersen's L-Service
>Elsevej 48,
>DK-3500 Vaerloese
>Denmark
>Mobile: +45 2097 1490
>e-amail: era@xxxxxxx
>Skype: andersen-erik
>http://www.x500.eu/
>http://www.x500standard.com/
>http://dk.linkedin.com/in/andersenerik
>
>
>-----Oprindelig meddelelse-----
>Fra: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
>Sendt: 9. november 2010 14:25
>Til: Erik Andersen
>Cc: PKIX
>Emne: Re: [pkix] Unclear public-key certificate definition in X.509
>
>        Since A denotes the user's distinguished name, it confuses me 
>(and
>
>
>probably others as well) to describe the CA as having name CA(A) and 
>UID UCA(A).  Would this not be easier to understand if the CA had name 
>CA(B) and ID UCA(B), or if subscripts were used?  After all, the CA is 
>a different entity than the user, and your expression has A being used 
>in both contexts.
>
>Tom Gindin
>
>
>
>
>
>From:
>"Erik Andersen" <era@xxxxxxx>
>To:
>"PKIX" <pkix@xxxxxxxx>
>Date:
>11/03/2010 12:28 PM
>Subject:
>[pkix] Unclear public-key certificate definition in X.509 Sent by:
>pkix-bounces@xxxxxxxx
>
>
>
>I have proposed some modification to a paragraph in X.509 as documented 
>by
>
>
>the attached file.
> 
>I wonder whether you PKIX guys have comments on this proposal. Any 
>comment
>
>
>will be appreciated.
> 
>Erik Andersen
>Andersen's L-Service
>Elsevej 48,
>DK-3500 Vaerloese
>Denmark
>Mobile: +45 2097 1490
>e-amail: era@xxxxxxx
>Skype: andersen-erik
>http://www.x500.eu/
>http://www.x500standard.com/
>http://dk.linkedin.com/in/andersenerik
> [attachment "DR-xx.pdf" deleted by Tom Gindin/Watson/IBM] 
>_______________________________________________
>pkix mailing list
>pkix@xxxxxxxx
>https://www.ietf.org/mailman/listinfo/pkix
>
>
>[attachment "X509-pot-01.pdf" deleted by Tom Gindin/Watson/IBM]
>
>
>
>
>
>_______________________________________________
>pkix mailing list
>pkix@xxxxxxxx
>https://www.ietf.org/mailman/listinfo/pkix


-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

Other related posts:

• » [x500standard] SV: [pkix] Unclear public-key certificate definition in X.509- Erik Andersen
• » [x500standard] SV: [pkix] Unclear public-key certificate definition in X.509 - Erik Andersen

1. Home
2. x500standard
3. Archive
4. 01-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---