509 doesn't currently state that there are only two types, but states
that 2 types are defined in that specification. Anything could be added
to 509 in the future, we don't need to state that explicitly (although
my hope is that VERY VERY LITTLE still needs to be added to 509 - note that
the current WD is under 10 pages and i sincerely hope it stays that way!).
> -----Original Message-----
> From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
> Sent: Thursday, March 08, 2001 2:56 AM
> To: Stephen Kent
> Cc: Sharon Boeyen; ietf-pkix@xxxxxxx
> Subject: Re: Open Issue in Part1: path length constraints
>
>
> Sharon,
>
> I read your explanations below. We do not have any problem about the
> concepts, but there is a vocbulary problem here. It would be
> unfortunate to
> say that an Authority may only be a CA or an AA. An Authority
> needs to be
> qualified by a term: C-A (C= Certification) or A-A (A =
> Attribute). There
> are and will be other Authorities in a PKIX. As an example:
> TS-A (TS = Time
> Stamping).
>
> I do know that, for ISO documents, definitions only apply for
> the given
> document where the definition is, but rewording clause 3.3.6
> from X.509
> along the following would need to be considered:
>
> Authority: "An entity, trusted by some other entities for a
> security related
> service. Two types of authorities are defined in this Specification;
> certification authority which issues public-key certificates
> and attribute
> authority which issues attribute certificates. Other types
> might be defined
> in the future."
>
> Denis
>
>
> > Sharon,
> >
> > >Re the X.509 language - The main reason you see terms
> like 'authority' and
> > >CRL issuer instead of CA is that CRLs can also be issued for
> > >attribute certificates.
> > >These CRLs would be signed by Attribute Authorities (AA)
> not by CAs.
> > >As editor,
> > >one my editing tasks for the 2000 509 was to replace "CA" with
> > >"authority" wherever both CA and AA
> > >were intended. That is the main reason you see these terms. There
> > >really hasn't been any
> > >discussion in 509 on non CA, AA issued CRLs that I can remember.
> > >Taking this to the next
> > >step, the definition of "authority" in X.509 (clause 3.3.6) is: "An
> > >entity, responsible for the issuance of certificates. Two types are
> > >defined in this Specification; certification authority which issues
> > >public-key certificates and attribute authority which issues
> > >attribute certificates." So, at least from the X.509 perspective an
> > >authority is either a CA or an AA.
> >
> > Thanks for the clarification; it reaffirms my recent comments about
> > the scope of the term "authority." That says that there is no
> > explicit provision for non CA/AA issuance of CRLs in X.509. So, not
> > only does PKIX have to decide if it wants to create the notion of a
> > new sort of authority for CRL issuance, but then we have to see if
> > X.509 will follow this approach as well.
> >
> > Steve
>