Re: Open Issue in Part1: path length constraints

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Sharon,

> 509 doesn't currently state that there are only two types, but states
> that 2 types are defined in that specification. 

I would like that to be true, but it is not, since the text says:

" Authority: An entity, responsible for the issuance of certificates." 

If that sentence would be deleted or changed, then it would be OK.

Denis

> Anything could be added
> to 509 in the future, we don't need to state that explicitly (although
> my hope is that VERY VERY LITTLE still needs to be added to 509 - note
> that
> the current WD is under 10 pages and i sincerely hope it stays that way!).
> 
> > -----Original Message-----
> > From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
> > Sent: Thursday, March 08, 2001 2:56 AM
> > To: Stephen Kent
> > Cc: Sharon Boeyen; ietf-pkix@xxxxxxx
> > Subject: Re: Open Issue in Part1: path length constraints
> >
> >
> > Sharon,
> >
> > I read your explanations below. We do not have any problem about the
> > concepts, but there is a vocbulary problem here. It would be
> > unfortunate to
> > say that an Authority may only be a CA or an AA. An Authority
> > needs to be
> > qualified by a term: C-A (C= Certification) or A-A (A =
> > Attribute). There
> > are and will be other Authorities in a PKIX. As an example:
> > TS-A (TS = Time
> > Stamping).
> >
> > I do know that, for ISO documents, definitions only apply for
> > the given
> > document where the definition is, but rewording clause 3.3.6
> > from X.509
> > along the following would need to be considered:
> >
> > Authority: "An entity, trusted by some other entities for a
> > security related
> > service. Two types of authorities are defined in this Specification;
> > certification authority which issues public-key certificates
> > and attribute
> > authority which issues attribute certificates. Other types
> > might be defined
> > in the future."
> >
> > Denis
> >
> >
> > > Sharon,
> > >
> > > >Re the X.509 language - The main reason you see terms
> > like 'authority' and
> > > >CRL issuer instead of CA is that CRLs can also be issued for
> > > >attribute certificates.
> > > >These CRLs would be signed by Attribute Authorities (AA)
> > not by CAs.
> > > >As editor,
> > > >one my editing tasks for the 2000 509 was to replace "CA" with
> > > >"authority" wherever both CA and AA
> > > >were intended. That is the main reason you see these terms. There
> > > >really hasn't been any
> > > >discussion in 509 on non CA, AA issued CRLs that I can remember.
> > > >Taking this to the next
> > > >step, the definition of "authority" in X.509 (clause 3.3.6) is: "An
> > > >entity, responsible for the issuance of certificates. Two types are
> > > >defined in this Specification; certification authority which issues
> > > >public-key certificates and attribute authority which issues
> > > >attribute certificates." So, at least from the X.509 perspective an
> > > >authority is either a CA or an AA.
> > >
> > > Thanks for the clarification; it reaffirms my recent comments about
> > > the scope of the term "authority." That says that there is no
> > > explicit provision for non CA/AA issuance of CRLs in X.509. So, not
> > > only does PKIX have to decide if it wants to create the notion of a
> > > new sort of authority for CRL issuance, but then we have to see if
> > > X.509 will follow this approach as well.
> > >
> > > Steve
> >