[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Definition of terms
> From: Tim Moses <tim.moses@ENTRUST.COM>
> Subject: [IETF-PKIX] Definition of terms
> To: IETF-PKIX@LISTS.TANDEM.COM
>
> Dave - Thanks for your thoughtful response. I understand your concern
> over the choice of the term "subscriber community". Apart from
> anything, it seems to suggest that money has to change hands, which
> isn't necessarily the case at all. I suppose I felt a little discomfort
> with your suggestion, too: I wanted something that had a "friendly"
> singular form ("subscriber", as opposed to "verifiable entity"), and
> something that reflected the "relationship", rather than the "procedure"
> (vis "relying party", as opposed to "entity that forms certificate
> chains starting at a particular authority").
>
> [...]
>
> So, the definition of cross-certification becomes:
>
> Authority A cross-certifies Authority B if the subject community of A is
1)-------
> extended (potentially with restrictions) to include all, or a sub-set,
> of the subject community of B. But, the relying party community of A is
2)------- 3)-------------
> not similarly extended.
>
> The subject community of an authority is the set of end-entities whose
> certificates will validate correctly, according to the X.509 certificate
> processing rules, by any relying party who forms certificate paths
> starting from that authority.
>
> The relying party community of an authority is the set of end-entities
> who form certificate paths starting from that authority.
Tim,
I'm not too worried about fine nuances in the language, those can
be worked out later if anyone has issues with them. I have two other,
more basic concerns.
a) there are clearly two communities that must be distinguished, but
I am having a hard time distinguishing from your definition which
name applies to which community.
Assume for concreteness two (root) CAs - MISSI and Entrust, and
two users dave@MISSI and tim@Entrust, and assume that MISSI issues
a unilateral cross-cert to Entrust.
My intuitive understanding of the words "subject" or "subscriber"
lead me to think that for MISSI:
subject community = { dave }
relying party (or verifiable) community = { dave, tim }
and for Entrust:
subject community = { tim }
rp community = { tim }
But if I understand your definition above, it appears to be the
subject community, not the rp community, which is extended by the
act of issuing a cross cert. That seems like a counter-intuitive
use of the terms subject/subscriber/congregation/etc. I don't have
any preference for using subject vice subscriber; I just think that
either of those terms should refer to the community which is not
extended by unilateral cross-certification. And that relying party
or verifiable should refer to the community which is extended.
b) Whatever words are chosen, I object to the fact that community
underlined 1)-- in your definition is the same as community 2)--.
I believe that cross-certification should *never* be a transitive
process: if MISSI wants to verify users under Entrust and VeriSign,
MISSI MUST issue cross-certs to both. If MISSI issues a cross-cert
to VeriSign, and VeriSign issues one to Entrust, that should never
be a sufficient condition for dave@MISSI to be able to validate
a signature from tim@Entrust.
Communities 2) and 3) should be use one word (subscriber/subject/...),
and community 1) should be the other word (relying party/...).