[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Use of "verification" vs. "validation"

To: ietf-pkix@xxxxxxx
Subject: Use of "verification" vs. "validation"
From: "Robert W. Shirey" <rshirey@xxxxxxx>
Date: Mon, 21 Dec 1998 14:20:21 -0500
Sender: owner-ietf-pkix@xxxxxxx

I would like to try to encourage a general correction and clean-up of
language in PKIX documents and realted material. My immediate concern is
the use of the word "validation" versus the word "verification".

These words have different meanings, and we need to use both meanings. So
we should not be using these words with the same meaning (as PKIX , X.509,
and FPKI presently are), expecially not when one of the meanings
contradicts the dictionary.

Please consider the following entry from a rather large glossary that I
have been compiling for private use:

verify vs. validate
-------------------
This glossary prefers "verification" over "validation" to denote what a
certificate user does to determine the trustworthiness of assertions made
in a certificate (or certification path, or CRL, or CKL). Although the
verbs "to verify" and "to validate" are close in meaning, "verify" has more
of a sense of testing the truth or accuracy of a statement by examining
evidence or conducting experiments, while "validate" has more of a sense of
declaring a statement to be true and marking it with an indication of
official sanction. [See 3rd edition of the American Heritage Dictionary of
the English Language]

For example, the store clerk stamps your parking pass to validate it for
free parking, and the parking attendant examines the stamp to verify that
you can park for free.

This interpretation of "validate" could have led to the term "digital
certificate validation" to refer to the act whereby a certification
authority places a digital signature on a data object. However, this term
is not in general use.
--------------------------------------------------------------------------

Scanning X.509, the FPKI Conops, and IETF documents, we see that they tend
to use the terms interchangably (unfortunately), although some of the uses
of validate are "correct" uses in the sense explained above. That is,
validate is used with two different meanings.  The instances that mean
verify should be corrected to avoid confusion with the others and to avoid
contradicting the definitions already found in dictionaries.

Furthermore, we need to move quickly to keep validate from being corrupted
with the meaning from verify, because we will more and more need to use
validate in its correct sense. For example, we will need to talk about how
a digital notary validates a transaction by signing a collection of
transaction data.

The following are some additional entries from my glossary:

valid certificate
-----------------
(R) A digital certificate for which the binding of the data items can be
trusted.

validity period
---------------
(R) A data item in a digital certificate that specifies the time period for
which the binding between data items (especially between the subject name
and the public key value in a public-key certificate) is valid, except if
the certificate appears on a CRL or the key appears on a CKL.

verification
------------
(R) This term has the following security-related meanings:

o System verification. The process of comparing two levels of system
specification for proper correspondence, such as comparing a security
policy with a top-level specification, a top-level specification with
source code, or source code with object code.

o Identification verification. Presenting information to establish the
truth of a claimed identity.

o Certificate verification.  Checking a digital certificate (or CRL or CKL)
to determine whether its assertions can be trusted. (Also see certificate
verification and verify vs. validate.)

certificate verification
------------------------
(R) The act or process of testing a digital certificate to determine
whether the assertions it makes can be trusted.
Regards, -Rob-

rshirey@bbn.com, Phone 703-284-4641, Reception 284-4600, Fax 284-2766
Robert W. Shirey, GTE Internetworking - Mail Stop 30/12B2, Suite 1200
1300 North Seventeenth Street, Arlington, Virginia   22209-3801   USA

Regards, -Rob-

rshirey@bbn.com, Phone 703-284-4641, Reception 284-4600, Fax 284-2766
Robert W. Shirey, GTE Internetworking - Mail Stop 30/12B2, Suite 1200
1300 North Seventeenth Street, Arlington, Virginia   22209-3801   USA

Prev by Date: Re: Invalidity Dates
Next by Date: Key Identifier
Previous by thread: Invitation to the next ABA Information Security Committee Meeting
Next by thread: Key Identifier
Index(es):
- Date
- Thread