Re: [IETF-PKIX] Defining Terms w.r.t. Cross Cert...

[Carlisle Adams <carlisle.adams@xxxxxxxxxxx>]

Hi Bill,

>----------
>From:  Bill Burr[SMTP:william.burr@NIST.GOV]
>Sent:  Tuesday, February 17, 1998 3:28 PM
>To:    IETF-PKIX@LISTS.TANDEM.COM
>Subject:       Re: [IETF-PKIX] Defining Terms w.r.t. Cross Cert...
>
>The problem I have is that what you claim "people think of as a
>cross-certificate" is not at all, not even a little bit, what I think of as
>a cross-certificate.  I think a cross-certificate is a cross-certificate
>pair.   No more and no less.  And X.509 (June 1997 version) never uses
>"cross-certificate" except as a part of cross-certificate pair (unless
>there is some mysterious new amendment I've never seen that changes
>everything, and at this point I don't care about further amendments to
>X.509),

I suppose it depends on how you read the spec.  To me, X.509 defines
cross-certificate by implication, in that a "cross-certificate pair" is
a pair of cross-certificates (so that what goes in the "forward"
parameter is a cross-certificate and what goes in the "reverse"
parameter is another cross-certificate).  Read your way,
"cross-certificate pair" is a single item, not a pair of items (in this
case, what goes in the "forward" and "reverse" parameters are presumably
CA-certificates).

It is exactly this kind of ambiguity in X.509 that has led to all the
confusion over terminology in this area.  My preference is for PKIX to
define the terms clearly and unambiguously (at least for its own
purposes; i.e., within its own documents).  I don't see why trying to
align with the X.509 terminology is necessarily the optimum choice,
given that the ambiguous X.509 terminology is the problem we're trying
to solve...

Carlisle.