[IETF-PKIX] Defintion of terms

[Tim Moses <tim.moses@xxxxxxxxxxx>]

Colleagues - Here is my proposal ...

Authority A cross-certifies Authority B if the subscriber community of A
is extended (potentially with restrictions) to include all, or a
sub-set, of the subscriber community of B.  But, the relying party
community of A is not so extended.

The subscriber community of an authority is the set of end-entities
whose certificates will validate correctly, according to the X.509
certificate processing rules, by any relying party who forms certificate
paths starting from that authority.

The relying party community of an authority is the set of end-entities
who form certificate paths starting from that authority.

Whether A and B are in different organizations should not be a
consideration, as the definition of an organization is imprecise.  If
B's subscriber community is extended in a similar fashion, then the term
'mutual cross-certification' applies.  I agree that extending a
hierarchy does not need a new term.  So ...

1) no term needed.
2) unilateral cross-certification.
3) no term needed (its either 2 or 4 as appropriate).
4) mutual cross-certification.
5) no term needed (its either 2 or 4 as appropriate).

The term 'cross-certification' is in common usage.  And, I believe when
people use it, they have something very similar to what I describe above
in their minds.  If we omitted to provide a rigorous definition in the
standard, let's correct that now.

Best regards.  Tim.



--------------------------------------------------------------
Tim Moses, Entrust Technologies,
Tel: 613 247 3183,
email: tim.moses@entrust.com.