Re the X.509 language - The main reason you see terms like 'authority' and
CRL issuer instead of CA is that CRLs can also be issued for attribute certificates.
These CRLs would be signed by Attribute Authorities (AA) not by CAs. As editor,
one my editing tasks for the 2000 509 was to replace "CA" with "authority" wherever both CA and AA
were intended. That is the main reason you see these terms. There really hasn't been any
discussion in 509 on non CA, AA issued CRLs that I can remember. Taking this to the next
step, the definition of "authority" in X.509 (clause 3.3.6) is: "An entity, responsible for the issuance of certificates. Two types are defined in this Specification; certification authority which issues public-key certificates and attribute authority which issues attribute certificates." So, at least from the X.509 perspective an authority is either a CA or an AA.
Sharon
> -----Original Message-----
> From: Stephen Kent [mailto:kent@xxxxxxx]
> Sent: Wednesday, March 07, 2001 11:41 AM
> To: Ambarish Malpani
> Cc: ietf-pkix@xxxxxxx
> Subject: RE: Open Issue in Part1: path length constraints
>
>
> Ambarish,
>
> >Hi Steve,
> > While the term "VA" might not be part of the IETF standards,
> >it is the entity that can do the following:
> >
> >a. Sign OCSP responses - where you directly trust the responder
> >b. Sign Indirect CRLs (I suppose this is a circular argument)!
> >c. Do the Delegated Path Validation protocol.
> >
> >Agreed?
>
> Since you made the term up, I suppose a VA can do anything :-).
>
> On a more serious note, we made an explicit provision for non-CA
> signing of OCSP responses when OCSP was created. You are an author,
> so you know this. But, you didn't seem to feel a need to create a
> name for such entities at the time, which is OK too. CRL signing
> was, prior to v3, strictly the province of a CA. What it seems we
> have in our docs, and to a lesser extent in the X.509 docs, is a
> failure to clearly describe the intent to allow non-CA entities to
> sign CRLs. I say this based on the mix of terms in 2459, and some
> selected examples of text from X.509 that refer to an "authority"
> without naming any sort of authority other than CAs (and AAs?).
>
> So, going forward, if we want to allow non-CAs to perform this
> function, let's just get the text to be clear on this point, and if
> necessary, let's create a name for these entities, to minimize
> confusion.
>
> As for DPV, it is clear that it can be performed by a non-CA entity.
>
> Steve
>