[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Terminology - Cross-Certification
Arsenault, Al W. wrote:
> Warwick, et alia:
>
> I believe that the term "cross-certification" should stay in the
> document, and that its usage should be essentially that defined by
> Warwick as (3); i.e.,
>
> >(3) Issuance of a certificate by a CA in one organization to a CA in
> >another organization. (You might substitute "domain" for "organization".)
>
> and I would substitute "domain" for "organization" because I think that
> it's a more generic term.
>
> Looking at (2) Any case of issuance of a certificate by one CA for
> another, this seems to not be sufficient. To me, there are two cases of
> CA-certificates. One is hierarchically-based; i.e., a Root CA issues a
> certificate for one of its subordinate CA's.
The notion of hierarchical CAs was originally introduced by ISO, however
... at this time the only naming allowed was the use of distinguished
names and we had a rule to specify subordinate names. In PKIX we now
recognize other name types.
The only places where the terms "subordinate" and "hierarchy" are used
(in "part 1") are in section 1.2.2. with :
A "subordinate CA" is one that is not a root CA for the end entity in
question.
" ... a root CA is at the top of any hierarchy".
As a consequence we currently do not define what are hierarchical CAs
and we do NOT make a difference between hierarchically-based and
peer-based CAs.
If we were going to introduce the distinction we would need to provide
more text to address name subordination on various name formats. I
wonder if this is still appropriate at this time.
(... text deleted)
Denis
--
Denis Pinkas Bull S.A. E-mail : D.Pinkas@frcl.bull.fr
Rue Jean Jaures B.P. 68 Phone : 33 - 1 30 80 34 87
78340 Les Clayes sous Bois. FRANCE Fax : 33 - 1 30 80 33 21