RE: [x500standard] Certificate definitions

Russ Housley <housley@vigilsec.com> Fri, 03 April 2009 17:08 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D77F73A6859 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 3 Apr 2009 10:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.104
X-Spam-Level:
X-Spam-Status: No, score=-99.104 tagged_above=-999 required=5 tests=[AWL=-3.215, BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, MIME_BOUND_EQ_REL=2.832, MIME_HTML_ONLY=1.457, SARE_GIF_ATTACH=1.42, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FooUFTbf9DwQ for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 3 Apr 2009 10:08:56 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 42A9D3A67E4 for <pkix-archive@ietf.org>; Fri, 3 Apr 2009 10:08:55 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n33GcPJ6002593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 Apr 2009 09:38:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n33GcP34002592; Fri, 3 Apr 2009 09:38:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n33GcOw4002586 for <ietf-pkix@imc.org>; Fri, 3 Apr 2009 09:38:25 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id B66C4F24001; Fri, 3 Apr 2009 12:38:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id SQ4Q9yi+P+yV; Fri, 3 Apr 2009 12:38:23 -0400 (EDT)
Received: from THINKPADR52.vigilsec.com (pool-71-191-197-15.washdc.fios.verizon.net [71.191.197.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id A07DA9A4725; Fri, 3 Apr 2009 12:38:37 -0400 (EDT)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 03 Apr 2009 12:38:15 -0400
To: Erik Andersen <era@x500.eu>, x500standard@freelists.org, 'PKIX' <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: [x500standard] Certificate definitions
In-Reply-To: <3C35976D27EB42F590A0B142D903E7C7@ERA1>
References: <1C740690094340D3B49DADD21AD98606@ERA1> <3C35976D27EB42F590A0B142D903E7C7@ERA1>
Mime-Version: 1.0
Content-Type: multipart/related; type="text/html"; boundary="=====================_180813421==.REL"
Message-Id: <20090403163837.A07DA9A4725@odin.smetech.net>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

I'm a pit strapped for time right noe, but just looking at your picture, I see something that causes pause.  An AA certificate issues a Cross-Certificate?  That does not seem right.

Russ


At 11:00 AM 4/3/2009, Erik Andersen wrote:
I take silence as approval.
 
Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@x500.eu
http://www.x500.eu/" rel="nofollow">www.x500.eu
http://www.x500standard.com/" rel="nofollow"> www.x500standard.com
 
-----Original Message-----
From: x500standard-bounce@freelists.org [ mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: 1. april 2009 14:40
To: Directory list; PKIX
Subject: [x500standard] Certificate definitions
 
Hi
 
I got a number of responses on user certificates, but quite little that actually answered my question.
 
I have tried to dig a little bit more in X.509 to get hold of the terminology and then produced below figure. I will not comment all the boxes.
 
[]

 
I will like you to comments as to the correctness of above figure.
 
The end-entity certificate is not defined in the definition clause. However it is used widely in the main text. It is mentioned the first time in clause 7 as a public-key certificate. There are several other places where it is a public-key certificate. In 15.5.2.4 is used in the context of attribute certificates. The conclusion must be that an end-entity certificate can either be a end-entity public-key certificate or an end-entity attribute certificate. However, in most places, it is implied that we only talks about public-key certificates. For veterans, this is not a major problem, but new-comers may get confused. Anyway, I thing our specifications should be clear and not subject to interpretation. RFC 5280 does not use the term at all. It seems just to use the term “certificate” as a synonym for “end-entrity public key certificate”.
 
The “User Certificate”  is not defined in X.509, but is wide used. It seems to be a synonym for “end-entrity public key certificate”. It is also used in X.511. RFC 5280 uses the term once without differenting it from just “certificate”.
 
The term “cross-certificate” should probably also be qualified.
 
I suggest to add in X.509 definitions for:
 
“end-entity public-key certificate”
“user certictate” as a synonym for “end-entity public-key certificate”
“end-entity attrubute certificate”
 
The X.509 text should be updated to make use of these definitions.
 
X.509 has four attribute types for holding certificates.
 
UserCertificate: For end-entity public-key certificates
cAcertificate: For CA certificates
attributeCertificateAttribute: For end-entity attrubute certificates
aACertificate: For AA Certificates
 
Any comments?
 
Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@x500.eu
http://www.x500.eu/" rel="nofollow">www.x500.eu
http://www.x500standard.com/" rel="nofollow"> www.x500standard.com