[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Terminology - Cross-Certification

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Terminology - Cross-Certification
From: "Arsenault, Al W." <awarsen@xxxxxxxxxxxxxx>
Date: Tue, 16 Dec 1997 09:01:49 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Warwick, et alia:

        I believe that the term "cross-certification" should stay in the
document, and that its usage should be essentially that defined by
Warwick as (3); i.e.,

>(3) Issuance of a certificate by a CA in one organization to a CA in
>another organization.  (You might substitute "domain" for "organization".)

        and I would substitute "domain" for "organization" because I think that
it's a more generic term.

        Looking at (2)  Any case of issuance of a certificate by one CA for
another, this seems to not be sufficient.  To me, there are two cases of
CA-certificates.  One is hierarchically-based; i.e., a Root CA issues a
certificate for one of its subordinate CA's.  The other is more
peer-based; i.e., a CA for the University of Maryland issues a
certificate for the CA for Purdue University, stating under what
conditions Maryland people may accept Purdue-issued certificates.
Warwick's definition (2) does not make this distinction between
hierarchical and peer-to-peer CA certificates, and I personally believe
that it is an important distinction to preserve.

        Why do I think that the distinction needs to be preserved?  First,
because the trust properties - specifically, issues of transitivity -
are different. In the hierarchical case, I as a subordinate CA have to
trust what my superior CA does - if I don't I shouldn't be her
subordinate.  Similarly, as a Root CA, I trust (and constrain) what my
subordinate can do. Such a relationship does not exist in a peer-to-peer
relationship.  There, I decide that I will choose to trust you for
certain actions, under certain circumstances.  (Note that there is no
requirement that cross-certificates be issued in both directions;
one-way cross-certification is perfectly logical in some scenarios.)

        Second, the certificate path validations with cross-certificates can
get almost arbitrarily complex if transitive trust is permitted - it can
degenerate to almost  a "web of trust" model.  Applications should be
aware of this when trying to construct certificate paths.

                        Al Arsenault
        - Speaking for myself.  My opinions do not necessarily represent those
of my employer.
>

Follow-Ups:
- Re: [IETF-PKIX] Terminology - Cross-Certification
  - From: Denis Pinkas

Prev by Date: [IETF-PKIX] OCSP Change Request
Next by Date: Re: [IETF-PKIX] Encoding of INTEGER fields in PKIX
Previous by thread: Re: [IETF-PKIX] Terminology - Cross-Certification
Next by thread: Re: [IETF-PKIX] Terminology - Cross-Certification
Index(es):
- Date
- Thread