I believe the directory attribute userCertificate is a multivalue attribute. I see no reason why it cannot be used to store an attribute certificate. However, some applications may get confused. I think in practice, most apps assume only one certificate in the userCertificate. The term "user" has proved ambiguous; so, I'd agree that there would be some value in defining it. However, I would not define it to exclude attribute certificates. ________________________________ From: owner-ietf-pkix@xxxxxxxxxxxx [owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Erik Andersen [era@xxxxxxx] Sent: Tuesday, March 24, 2009 9:39 AM To: Directory list; PKIX Subject: User certificates The term “user certificate” is used in X.509 (and X.511) without being defined. I assume that a user certificate is a public-key certificate issued to an end-user. There is an attribute type called userCertificate, which has the syntax of public-key certificates. It seems therefore clear that a user certificate cannot be an attribute certificate. In the “8.6.2.7 AA Issuing Distribution Point extension” the term user certificate is mentioned in last the paragraph just before the three notes. Is that correct? The term “user certificate” should be defined. Any comments? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 email: era@xxxxxxx www.x500.eu www.x500standard.com