[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Terminology - Cross-Certification

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Terminology - Cross-Certification
From: "Arsenault, Al W." <awarsen@xxxxxxxxxxxxxx>
Date: Tue, 16 Dec 1997 12:49:22 -0500
Comments: To: "D.Pinkas@frcl.bull.fr" <D.Pinkas@frcl.bull.fr>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Denis Pinkas wrote:

<snip>
>As a consequence we currently do not define what are hierarchical CAs
>and we do NOT make a difference between hierarchically-based and
>peer-based CAs.
>
>If we were going to introduce the distinction we would need to provide
>more text to address name subordination on various name formats. I
>wonder if this is still appropriate at this time.
>
>(... text deleted)
>
>Denis

I do not believe that name subordination is a requirement for
hierarchically-based CAs.  (I certainly hope it isn't, since we don't
require it for CAs in MISSI :-)

To me, a CA hierarchy is one in which a superior node can constrain what
a subordinate node does - e.g., what policy OIDs it can issue, what
extensions it must/must not/can optionally populate, and maybe (but not
necessarily) what name subordination rules it must follow.

This contrasts with a peer-based architecture, in which one CA
essentially tells another one "I'll accept your certificates if they
have the following properties.  What else you do is your own business; I
won't interfere, but things that interwork with my users must have the
following properties."  The degree of control is much less.

This can be important in an Internet PKI.  Suppose an ISP wanted to
purchase CA workstations from - oh, pick on somebody here - GTE
Internetworking (in honor of our illustrious co-chair) and set up a
hierarchy of CAs for use within that ISP and its customers.  They might
want to set up a strict hierarchy such that the root CA was at the top
of all users' trust chains, and certs were only valid if they derived
from that root CA.  Further, the ISP will allow users to interwork with
certificates from other services only if there were a valid
cross-certificate in place, signed by the ISP's root CA.  This
cross-certificate might be issued to, say, VeriSign (in honor of the
other illustrious co-chair), allowing the ISP's users to interwork with
users under a VeriSign CA so long as the proper policy OIDs, etc. were
present.  The degree of control the ISP exerts over VeriSign is clearly
less than the degree of control it exerts over its own CAs, and this is
significant.

                        Al Arsenault

- Speaking only for myself. My opinions do not necessarily reflect those
of my employer.

>

Prev by Date: Re: [IETF-PKIX] Encoding of INTEGER fields in PKIX
Next by Date: Re: [IETF-PKIX] Critical extensions and Policy OIDs
Previous by thread: Re: [IETF-PKIX] Terminology - Cross-Certification
Next by thread: Re: [IETF-PKIX] Terminology - Cross-Certification
Index(es):
- Date
- Thread