[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Terminology - Cross-Certification

Warwick Ford wrote:
>
> I believe the term "cross-certification" continues to be an ill-defined and
> confused term in PKI.  Prior to publication of the PKIX Proposed Standards,
> we maybe have one last chance to square this away.

I agree.

> While precise definitions of cross-certification are hard to find,
> different interpretations that I have encountered include:
>
> (1) In an essentially-hierarchical CA structure, issuance of a certificate
> that is not in accordance with that hierarchy.
>
> (2) Any case of issuance of a certificate by one CA for another.
>
> (3) Issuance of a certificate by a CA in one organization to a CA in
> another organization.  (You might substitute "domain" for "organization".)
> Note that (2) and (3) are different, since, in the general case, an
> organization has a structure of multiple CAs.
>
> (4) The situation in which any two CAs issue certificates for each other.
>
> (5) The situation in which two CAs, each in a different organization, issue
> certificates for each other.
>
> Note that X.509 is of no help - it is highly ambiguous.
>
> With a view to us firming-up a common terminology, following are some
> suggestions:
>
> I don't think (1) is a good interpretation of "cross-certification", and I
> don't think this needs its own term at all, e.g., in Secure Electronic
> Commerce we just spoke of "hierarchical structure with additional links".
>
> I suggest that (2) would most appropriately be called CA-certification,
> since the result is a "CA-certificate", a defined term in X.509.

Yes. It is defined as " A certificate for one CA issued by another CA."
(see Amendment 1 to ISO/IEC 9594-8:1995 (E) Section 3.3. See
ftp://ftp.bull.com/pub/OSIdirectory/Certificates/Certificates1Dec.DOC

> I believe (3) represents the most common interpretation of
> "cross-certification" in the public's mind.  (Although, to avoid confusion
> we called this "inter-domain certification" in Secure Electronic Commerce.)
>
> I think that (4) and (5) bring in a separate issue, which is not of much
> practical significance anyway.  I believe that it is coincidental if two
> organizations find they can both issue certificates simultaneously in both
> directions between precisely the same two CAs, one in each organization.
> Where this does prove to be a practical requirement, and can be achieved, I
> believe we have the special case of "mutual CA-certification", "mutual
> inter-domain certification" or "mutual cross-certification" as applicable.
>
> My preference would be to avoid the term "cross-certification" entirely,
> and instead adopt:
> (1) - no term needed -,
> (2) "CA-certification",
> (3) "inter-domain certification",
> (4) "mutual CA-certification", and
> (5) "mutual inter-domain certification".
>
> If we keep using "cross-certification", then I suggest we settle on it
> being (3).

My preference would be for (2) (i.e. CA-certification), since what is
"inter-domain certification" may be hard to define and agree upon.

> In PKIX, this presents a minor problem, since it would seem that the
> PKIX-CMP usage of the term is (2).  Changing the PKIX-CMP term to
> "CA-certification" is possible, and probably a good idea, before
> publication as Proposed Standard.

I support this conclusion.

Denis

--

      Denis Pinkas     Bull S.A.         E-mail : D.Pinkas@frcl.bull.fr
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21