[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IETF-PKIX] Definition of terms

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: [IETF-PKIX] Definition of terms
From: Tim Moses <tim.moses@xxxxxxxxxxx>
Date: Mon, 22 Dec 1997 10:12:08 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Dave - Thanks for your thoughtful response.  I understand your concern
over the choice of the term "subscriber community".  Apart from
anything, it seems to suggest that money has to change hands, which
isn't necessarily the case at all.  I suppose I felt a little discomfort
with your suggestion, too: I wanted something that had a "friendly"
singular form ("subscriber", as opposed to "verifiable entity"), and
something that reflected the "relationship", rather than the "procedure"
(vis "relying party", as opposed to "entity that forms certificate
chains starting at a particular authority").  The following thoughts
occurred to me (though I think my tongue might have been in my cheek at
the time):

Congregation (too religious?);
Constituency (too political?);
Target community (too military?); and
Subject community.

I quite like "subject community", although I can hear the objections
already.  I mean "subject" in the way a monarchist would use the word,
not in the way a linguist would use it (or messrs Bell and Lapadula, for
that matter).  A composite trust structure could be considered atomic by
a relying party that consumes an X.509 certificate processing function.
In this case all verifiable entities would be subjects of the trust
structure, even though they are identified in the "subject" field of a
certificate issued by a CA other than the one where the relying party
starts its paths.  The monarchist would think of this as imperialism,
and would thoroughly approve.

So, the definition of cross-certification becomes:

Authority A cross-certifies Authority B if the subject community of A is
extended (potentially with restrictions) to include all, or a sub-set,
of the subject community of B.  But, the relying party community of A is
not similarly extended.

The subject community of an authority is the set of end-entities whose
certificates will validate correctly, according to the X.509 certificate
processing rules, by any relying party who forms certificate paths
starting from that authority.

The relying party community of an authority is the set of end-entities
who form certificate paths starting from that authority.

This process may also be called "unilateral cross-certification".  If
the process is also performed by Authority B on Authority A, then the
process can be called "mutual cross-certification".  Unless qualified,
the term "cross-certification" should be taken to mean "unilateral
cross-certification".

What do you think? Best regards.  Tim.

--------------------------------------------------------------
Tim Moses, Entrust Technologies,
Tel: 613 247 3183,
email: tim.moses@entrust.com.

Prev by Date: [IETF-PKIX] remove
Next by Date: Re: [IETF-PKIX] Definition of terms
Previous by thread: [IETF-PKIX] Defintion of terms
Next by thread: Re: [IETF-PKIX] Definition of terms
Index(es):
- Date
- Thread