[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open Issue in Part1: path length constraints

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: Open Issue in Part1: path length constraints
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 08 Mar 2001 08:55:39 +0100
Cc: Sharon Boeyen <sharon.boeyen@xxxxxxxxxxx>, ietf-pkix@xxxxxxx
Organization: Bull
References: <> <>

Sharon,

I read your explanations below. We do not have any problem about the
concepts, but there is a vocbulary problem here. It would be unfortunate to
say that an Authority may only be a CA or an AA. An Authority needs to be
qualified by a term: C-A (C= Certification) or A-A (A = Attribute). There
are and will be other Authorities in a PKIX. As an example: TS-A (TS = Time
Stamping).

I do know that, for ISO documents, definitions only apply for the given
document where the definition is, but rewording clause 3.3.6 from X.509
along the following would need to be considered:

Authority: "An entity, trusted by some other entities for a security related
service. Two types of authorities are defined in this Specification;
certification authority which issues public-key certificates and attribute
authority which issues attribute certificates. Other types might be defined
in the future."

Denis

 
> Sharon,
> 
> >Re the X.509 language - The main reason you see terms  like 'authority' and
> >CRL issuer instead of CA is that CRLs can also be issued for
> >attribute certificates.
> >These CRLs would be signed by Attribute Authorities (AA) not by CAs.
> >As editor,
> >one my editing tasks for the 2000 509 was to replace "CA" with
> >"authority" wherever both CA and AA
> >were intended. That is the main reason you see these terms. There
> >really hasn't been any
> >discussion in 509 on non CA, AA issued CRLs that I can remember.
> >Taking this to the next
> >step, the definition of "authority" in X.509 (clause 3.3.6) is: "An
> >entity, responsible for the issuance of certificates. Two types are
> >defined in this Specification; certification authority which issues
> >public-key certificates and attribute authority which issues
> >attribute certificates." So, at least from the X.509 perspective an
> >authority is either a CA or an AA.
> 
> Thanks for the clarification; it reaffirms my recent comments about
> the scope of the term "authority." That says that there is no
> explicit provision for non CA/AA issuance of CRLs in X.509. So, not
> only does PKIX have to decide if it wants to create the notion of a
> new sort of authority for CRL issuance, but then we have to see if
> X.509 will follow this approach as well.
> 
> Steve

References:
- RE: Open Issue in Part1: path length constraints
  - From: Sharon Boeyen
- RE: Open Issue in Part1: path length constraints
  - From: Stephen Kent

Prev by Date: Separate CRL Issuance Entity Was: RE: Open Issue in Part1: path length constraints
Next by Date: Re: Open Issue in Part1: path length constraints
Previous by thread: RE: Open Issue in Part1: path length constraints
Next by thread: Impersonation Certificates - proofing IC requesters
Index(es):
- Date
- Thread