[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Open Issue in Part1: path length constraints
What is a CA? Interestingly, in a cursory review of several of the PKIX
documents I couldn't find a definition. I have always defined a CA as "the
trusted entity that binds a public key to a subject through the issuance of a
certificate." I have *always*assumed* that "CA" and "issuance of certificates"
go hand-in-hand. What do you call a CA that can't issue certificates? I don't
know, but I wouldn't call it a CA.
Dave S.
David Kemp wrote:
> Dave,
>
> Then is it your suggestion that all PKIX words regarding issuance of
> CRLs by "conforming CAs" be extended to "conforming CAs and end entities",
> or is it your suggestion that CRLs MUST NOT be verified except by a
> public key which is also permitted to verify certificates?
>
> I strongly disagree with the latter, of course.
>
> I disagree with the former too, since it is my belief that a "conforming
> CA" is the organization which signs the CRL, not the public key which
> signs the CRL. But if PKIX chooses to regard some CRL signers as end
> entities, then it must have words which permit some end entities to
> sign CRLs.
>
> Dave
>
> > Date: Mon, 05 Mar 2001 16:30:10 -0500
> > From: David Simonetti <dsimonetti@xxxxxxxxxxxx>
> >
> > Dave,
> >
> > Responding to your question:
> >
> > > If that certificate has cA=false, and keyCertSign=0 and cRLSign=1,
> > > isn't the subject of the certificate "a conforming CA"?
> >
> > No, it is an end entity.
> > --
> > David Simonetti
> > Securify (www.securify.com), 410-356-2260
> >
--
David Simonetti
Securify (www.securify.com), 410-356-2260