[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IETF-PKIX] Terminology - Cross-Certification

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: [IETF-PKIX] Terminology - Cross-Certification
From: Warwick Ford <wford@xxxxxxxxxxxx>
Date: Mon, 15 Dec 1997 12:47:57 -0800
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

I believe the term "cross-certification" continues to be an ill-defined and
confused term in PKI.  Prior to publication of the PKIX Proposed Standards,
we maybe have one last chance to square this away.

While precise definitions of cross-certification are hard to find,
different interpretations that I have encountered include:

(1) In an essentially-hierarchical CA structure, issuance of a certificate
that is not in accordance with that hierarchy.

(2) Any case of issuance of a certificate by one CA for another.

(3) Issuance of a certificate by a CA in one organization to a CA in
another organization.  (You might substitute "domain" for "organization".)
Note that (2) and (3) are different, since, in the general case, an
organization has a structure of multiple CAs.

(4) The situation in which any two CAs issue certificates for each other.

(5) The situation in which two CAs, each in a different organization, issue
certificates for each other.

Note that X.509 is of no help - it is highly ambiguous.

With a view to us firming-up a common terminology, following are some
suggestions:

I don't think (1) is a good interpretation of "cross-certification", and I
don't think this needs its own term at all, e.g., in Secure Electronic
Commerce we just spoke of "hierarchical structure with additional links".

I suggest that (2) would most appropriately be called CA-certification,
since the result is a "CA-certificate", a defined term in X.509.

I believe (3) represents the most common interpretation of
"cross-certification" in the public's mind.  (Although, to avoid confusion
we called this "inter-domain certification" in Secure Electronic Commerce.)

I think that (4) and (5) bring in a separate issue, which is not of much
practical significance anyway.  I believe that it is coincidental if two
organizations find they can both issue certificates simultaneously in both
directions between precisely the same two CAs, one in each organization.
Where this does prove to be a practical requirement, and can be achieved, I
believe we have the special case of "mutual CA-certification", "mutual
inter-domain certification" or "mutual cross-certification" as applicable.

My preference would be to avoid the term "cross-certification" entirely,
and instead adopt:
(1) - no term needed -,
(2) "CA-certification",
(3) "inter-domain certification",
(4) "mutual CA-certification", and
(5) "mutual inter-domain certification".

If we keep using "cross-certification", then I suggest we settle on it
being (3).

In PKIX, this presents a minor problem, since it would seem that the
PKIX-CMP usage of the term is (2).  Changing the PKIX-CMP term to
"CA-certification" is possible, and probably a good idea, before
publication as Proposed Standard.

Warwick

---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------

Follow-Ups:
- Re: [IETF-PKIX] Terminology - Cross-Certification
  - From: Denis Pinkas

Prev by Date: Re: [IETF-PKIX] Suggestions for Key Usage Profile
Next by Date: Re: [IETF-PKIX] draft meeting minutes
Previous by thread: [IETF-PKIX] Suggestions for Key Usage Profile
Next by thread: Re: [IETF-PKIX] Terminology - Cross-Certification
Index(es):
- Date
- Thread