RE: Open Issue in Part1: path length constraints

[Stephen Kent <kent@xxxxxxx>]

Sharon,

> Re the X.509 language - The main reason you see terms  like 'authority' and
> CRL issuer instead of CA is that CRLs can also be issued for 
> attribute certificates.
> These CRLs would be signed by Attribute Authorities (AA) not by CAs. 
> As editor,
> one my editing tasks for the 2000 509 was to replace "CA" with 
> "authority" wherever both CA and AA
> were intended. That is the main reason you see these terms. There 
> really hasn't been any
> discussion in 509 on non CA, AA issued CRLs that I can remember. 
> Taking this to the next
> step, the definition of "authority" in X.509 (clause 3.3.6) is: "An 
> entity, responsible for the issuance of certificates. Two types are 
> defined in this Specification; certification authority which issues 
> public-key certificates and attribute authority which issues 
> attribute certificates." So, at least from the X.509 perspective an 
> authority is either a CA or an AA.

Thanks for the clarification; it reaffirms my recent comments about 
the scope of the term "authority." That says that there is no 
explicit provision for non CA/AA issuance of CRLs in X.509. So, not 
only does PKIX have to decide if it wants to create the notion of a 
new sort of authority for CRL issuance, but then we have to see if 
X.509 will follow this approach as well.

Steve