Re: [IETF-PKIX] Defintion of terms

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: Tim Moses <tim.moses@ENTRUST.COM>
>
> Colleagues - Here is my proposal ...
>
> Authority A cross-certifies Authority B if the subscriber community of A
> is extended (potentially with restrictions) to include all, or a
> sub-set, of the subscriber community of B.  But, the relying party
> community of A is not so extended.
>
> The subscriber community of an authority is the set of end-entities
> whose certificates will validate correctly, according to the X.509
> certificate processing rules, by any relying party who forms certificate
> paths starting from that authority.
>
> The relying party community of an authority is the set of end-entities
> who form certificate paths starting from that authority.


Tim,

That proposal makes a lot of sense to me, except for the names of
the communities, and what seems to be a logical flaw in the first
sentence.

The "subscriber community" of Ford sounds superficially to be those
users who have certs issued under Ford's root, rather than those certs
which can be validated by beginning at Ford's root.  If Ford cross
certifies GM, it sounds counter-intuitive that GM users become
"subscribers" of Ford.

I would re-word the proposal to use "subscriber" and something like
"verifiable" communities:

  Authority A cross-certifies Authority B if the **verifiable** community
  of A is extended (potentially with restrictions) to include all, or a
  sub-set, of the **subscriber** community of B.  But, the **subscriber**
  community of A is not so extended.


Does that revision make sense?


> The term 'cross-certification' is in common usage.  And, I believe when
> people use it, they have something very similar to what I describe above
> in their minds.  If we omitted to provide a rigorous definition in the
> standard, let's correct that now.

Yes, we should.