[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Defintion of terms

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Defintion of terms
From: Warwick Ford <wford@xxxxxxxxxxxx>
Date: Fri, 19 Dec 1997 18:16:50 -0800
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Tim:

I want to be sure I am interpreting you right.  I believe you are proposing
that cross-certification is any situation in which one CA certifies
another, including, for example, the case where an organizational CA
certifies a subordinate CA in that organization's own private hierarchy?
Therefore cross-certificate is a synonym for CA-certificate.  Right?

Warwick

At 11:40 AM 12/19/97 -0500, Tim Moses wrote:
>Colleagues - Here is my proposal ...
>
>Authority A cross-certifies Authority B if the subscriber community of A
>is extended (potentially with restrictions) to include all, or a
>sub-set, of the subscriber community of B.  But, the relying party
>community of A is not so extended.
>
>The subscriber community of an authority is the set of end-entities
>whose certificates will validate correctly, according to the X.509
>certificate processing rules, by any relying party who forms certificate
>paths starting from that authority.
>
>The relying party community of an authority is the set of end-entities
>who form certificate paths starting from that authority.
>
>Whether A and B are in different organizations should not be a
>consideration, as the definition of an organization is imprecise.  If
>B's subscriber community is extended in a similar fashion, then the term
>'mutual cross-certification' applies.  I agree that extending a
>hierarchy does not need a new term.  So ...
>
>1) no term needed.
>2) unilateral cross-certification.
>3) no term needed (its either 2 or 4 as appropriate).
>4) mutual cross-certification.
>5) no term needed (its either 2 or 4 as appropriate).
>
>The term 'cross-certification' is in common usage.  And, I believe when
>people use it, they have something very similar to what I describe above
>in their minds.  If we omitted to provide a rigorous definition in the
>standard, let's correct that now.
>
>Best regards.  Tim.
>
>
>
>--------------------------------------------------------------
>Tim Moses, Entrust Technologies,
>Tel: 613 247 3183,
>email: tim.moses@entrust.com.
>
>
---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------

Prev by Date: Re: [IETF-PKIX] Defintion of terms
Next by Date: [IETF-PKIX] remove
Previous by thread: Re: [IETF-PKIX] Defintion of terms
Next by thread: [IETF-PKIX] Definition of terms
Index(es):
- Date
- Thread