I do think it is important that regardless of whether the entity signing a
CRL or an OCSP response represents a CA or not, that relying parties have
a clear path to determine whether or not to 'trust' such an indication of
revocation status. For OCSP responders we have the AIA extension and for CRLs
the issuer (if different than the cert issuer) can be indicated in the crldp.
Sharon
> -----Original Message-----
> From: Stephen Kent [mailto:kent@xxxxxxx]
> Sent: Wednesday, March 07, 2001 5:19 PM
> To: Sharon Boeyen
> Cc: ietf-pkix@xxxxxxx
> Subject: RE: Open Issue in Part1: path length constraints
>
>
> Sharon,
>
> >Re the X.509 language - The main reason you see terms like
> 'authority' and
> >CRL issuer instead of CA is that CRLs can also be issued for
> >attribute certificates.
> >These CRLs would be signed by Attribute Authorities (AA) not by CAs.
> >As editor,
> >one my editing tasks for the 2000 509 was to replace "CA" with
> >"authority" wherever both CA and AA
> >were intended. That is the main reason you see these terms. There
> >really hasn't been any
> >discussion in 509 on non CA, AA issued CRLs that I can remember.
> >Taking this to the next
> >step, the definition of "authority" in X.509 (clause 3.3.6) is: "An
> >entity, responsible for the issuance of certificates. Two types are
> >defined in this Specification; certification authority which issues
> >public-key certificates and attribute authority which issues
> >attribute certificates." So, at least from the X.509 perspective an
> >authority is either a CA or an AA.
>
> Thanks for the clarification; it reaffirms my recent comments about
> the scope of the term "authority." That says that there is no
> explicit provision for non CA/AA issuance of CRLs in X.509. So, not
> only does PKIX have to decide if it wants to create the notion of a
> new sort of authority for CRL issuance, but then we have to see if
> X.509 will follow this approach as well.
>
> Steve
>