RE: [x500standard] Certificate definitions
Russ Housley <housley@vigilsec.com> Fri, 03 April 2009 17:08 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D77F73A6859 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 3 Apr 2009 10:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.104
X-Spam-Level:
X-Spam-Status: No, score=-99.104 tagged_above=-999 required=5 tests=[AWL=-3.215, BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, MIME_BOUND_EQ_REL=2.832, MIME_HTML_ONLY=1.457, SARE_GIF_ATTACH=1.42, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FooUFTbf9DwQ for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 3 Apr 2009 10:08:56 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 42A9D3A67E4 for <pkix-archive@ietf.org>; Fri, 3 Apr 2009 10:08:55 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n33GcPJ6002593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 Apr 2009 09:38:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n33GcP34002592; Fri, 3 Apr 2009 09:38:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n33GcOw4002586 for <ietf-pkix@imc.org>; Fri, 3 Apr 2009 09:38:25 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id B66C4F24001; Fri, 3 Apr 2009 12:38:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id SQ4Q9yi+P+yV; Fri, 3 Apr 2009 12:38:23 -0400 (EDT)
Received: from THINKPADR52.vigilsec.com (pool-71-191-197-15.washdc.fios.verizon.net [71.191.197.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id A07DA9A4725; Fri, 3 Apr 2009 12:38:37 -0400 (EDT)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 03 Apr 2009 12:38:15 -0400
To: Erik Andersen <era@x500.eu>, x500standard@freelists.org, 'PKIX' <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: [x500standard] Certificate definitions
In-Reply-To: <3C35976D27EB42F590A0B142D903E7C7@ERA1>
References: <1C740690094340D3B49DADD21AD98606@ERA1> <3C35976D27EB42F590A0B142D903E7C7@ERA1>
Mime-Version: 1.0
Content-Type: multipart/related; type="text/html"; boundary="=====================_180813421==.REL"
Message-Id: <20090403163837.A07DA9A4725@odin.smetech.net>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ
At 11:00 AM 4/3/2009, Erik Andersen wrote:
I take silence as approval.
Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@x500.eu
http://www.x500.eu/" rel="nofollow">www.x500.eu
http://www.x500standard.com/" rel="nofollow"> www.x500standard.com
-----Original Message-----
From: x500standard-bounce@freelists.org [ mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: 1. april 2009 14:40
To: Directory list; PKIX
Subject: [x500standard] Certificate definitions
Hi
I got a number of responses on user certificates, but quite little that actually answered my question.
I have tried to dig a little bit more in X.509 to get hold of the terminology and then produced below figure. I will not comment all the boxes.
![]()
I will like you to comments as to the correctness of above figure.
The end-entity certificate is not defined in the definition clause. However it is used widely in the main text. It is mentioned the first time in clause 7 as a public-key certificate. There are several other places where it is a public-key certificate. In 15.5.2.4 is used in the context of attribute certificates. The conclusion must be that an end-entity certificate can either be a end-entity public-key certificate or an end-entity attribute certificate. However, in most places, it is implied that we only talks about public-key certificates. For veterans, this is not a major problem, but new-comers may get confused. Anyway, I thing our specifications should be clear and not subject to interpretation. RFC 5280 does not use the term at all. It seems just to use the term certificate as a synonym for end-entrity public key certificate.
The User Certificate is not defined in X.509, but is wide used. It seems to be a synonym for end-entrity public key certificate. It is also used in X.511. RFC 5280 uses the term once without differenting it from just certificate.
The term cross-certificate should probably also be qualified.
I suggest to add in X.509 definitions for:
end-entity public-key certificate
user certictate as a synonym for end-entity public-key certificate
end-entity attrubute certificate
The X.509 text should be updated to make use of these definitions.
X.509 has four attribute types for holding certificates.
UserCertificate: For end-entity public-key certificates
cAcertificate: For CA certificates
attributeCertificateAttribute: For end-entity attrubute certificates
aACertificate: For AA Certificates
Any comments?
Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@x500.eu
http://www.x500.eu/" rel="nofollow">www.x500.eu
http://www.x500standard.com/" rel="nofollow"> www.x500standard.com
- Certificate definitions Erik Andersen
- RE: [x500standard] Certificate definitions Erik Andersen
- RE: [x500standard] Certificate definitions Denis Pinkas
- RE: [x500standard] Certificate definitions Russ Housley
- RE: [x500standard] Re: Certificate definitions Santosh Chokhani
- RE: [x500standard] Re: Certificate definitions Santosh Chokhani
- RE: [x500standard] Re: Certificate definitions Erik Andersen
- Re: [x500standard] Re: Certificate definitions David A. Cooper
- RE: [x500standard] Re: Certificate definitions Santosh Chokhani
- Re: [x500standard] Re: Certificate definitions Stefan Santesson
- RE: [x500standard] Re: Certificate definitions Santosh Chokhani
- RE: [x500standard] Re: Certificate definitions Tom Gindin