[cabfcert_policy] Terminology alignment

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed Aug 23 03:36:43 MST 2017 

On 19/6/2017 4:52 πμ, Peter Bowen wrote:
> Moudrick,
>
> This definition is also found in ETSI EN 319 411-1 V1.1.1.  It would 
> seem that ETSI “punted” and is using CA to mean two things.  However 
> it does leave open a path for alignment with ISO 21188: using the 
> second option as the definition for CA.  Combining the ETSI and ISO 
> definitions could look like:
>
>     Certification Authority (CA): a technical certificate generation
>     service that is trusted by one or more entities to create, assign
>     and revoke or hold public key certificates and is operated by a
>     Trust Service Provider
>
>
> This would disambiguate the term.
>
> Thanks,
> Peter

Does anyone see any potential problems or concerns for using this 
definition for a "CA" (which is also IMO aligned with the way RFC5280 
and RFC6960 uses the term "CA") and add the definition of a "Trust 
Service Provider" in the BRs as an organization that operates a "CA"? 
Would it be better if we used "CA Operator" instead of a "Trust Service 
Provider"?

If the WG has no objections, we could forward this option to the larger 
forum. We can propose this to the larger forum and discuss if "Trust 
Service Provider" or "CA Operator" would be preferable.


Dimitris.

>
>> On Jun 18, 2017, at 2:21 PM, Moudrick M. Dadashov <md at ssc.lt 
>> <mailto:md at ssc.lt>> wrote:
>>
>> ETSI TR 119 001 V1.2.1 (2016-03) Electronic Signatures and 
>> Infrastructures (ESI); The framework for standardization of 
>> signatures; Definitions and abbreviations:
>>
>> /certification authority: authority trusted by one or more users to 
>> create and assign public-key certificates//
>> //
>> //NOTE 1: Optionally the certification authority can create the 
>> subjects' keys.//
>> //NOTE 2: A certification authority can be://
>> //
>> //1) a trust service provider that creates and assigns public key 
>> certificates; or//
>> //2) a technical certificate generation service that is used by a 
>> certification service provider that creates////and assign public key 
>> certificates.//
>> /
>> Thanks,
>> M.D.
>>
>>
>> On 6/18/2017 7:57 PM, Peter Bowen wrote:
>>> It was recently pointed out to me that WebTrust for CAs is based on 
>>> ISO 21188.  ISO is in progress of revising this standard and has 
>>> published revised version as a Draft International Standard (DIS). 
>>>  This revision is called ISO/DIS 21188.
>>>
>>> Unlikely many other reference documents, ISO/DIS 21188 clearly 
>>> resolves the CA term. A Trust Services Provider (TSP) is a company 
>>> or organization.  A TSP operates Certification Authorities.  The 
>>> requirements in the standard usually start with the phrase “The CA 
>>> shall”, so it is clear that this phrasing is not in conflict with 
>>> these definitions.
>>>
>>> Excerpts from ISO/DIS 21188, unmodified except to replace “financial 
>>> institution” with “company”:
>>>
>>> _3 Terms and definitions_
>>>
>>> *3.21 *
>>> *certification authority *
>>> *CA *
>>> *entity *(3.32) trusted by one or more entities to create, assign 
>>> and revoke or hold public key certificates
>>>
>>> *3.52 *
>>> *relying party RP *
>>> recipient of a certificate who acts in reliance on that certificate, 
>>> digital signatures verified using that certificate, or both
>>>
>>> *3.65 *
>>> *trust services provider TSP *
>>> approved organization (as determined by the contractual 
>>> participants) providing trust services, through a number of 
>>> *certification authorities *(3.21), to their customers who may act 
>>> as subscribers or *relying parties *(3.52)
>>> NOTE A trust services provider may also provide certif icate 
>>> validation services.
>>>
>>> _5.2 What is PKI?_
>>>
>>> PKIs are a practical technical solution to the problems posed by 
>>> open networks. [Companies] are becoming trust services providers 
>>> (TSPs), to take advantage of the growing market for security and 
>>> authentication in online communications. Relying parties, as 
>>> recipients of information, use TSPs to validate certificates used to 
>>> authenticate on-line communications. A TSP may be an entity 
>>> providing one or more trusted services, e.g. a Certification 
>>> Authority or a Validation Service. A TSP is a recognized authority 
>>> trusted by one or more relying parties to create and sign 
>>> certificates. A TSP may also revoke certificates it has created and 
>>> issued. A TSP operates one or more certification authorities (CAs) 
>>> whose core functions are certificate issuing, certificate 
>>> distribution and certificate validation. Within a [company], a CA is 
>>> not necessarily a business entity but may be a unit or a function 
>>> providing CA functions that may be trusted by relying parties and 
>>> subscribing parties.
>>>
>>> The [company] may act as a TSP issuing certificates to the public 
>>> and permits validation of certificates in an open network 
>>> environment. TSPs may operate under voluntary TSP accreditation 
>>> schemes or within an indigenous regulatory framework. Typically, 
>>> there is no formal contract between the subscriber's TSP and the 
>>> relying party
>>>
>>> I apologize for missing the last couple of WG meetings, so I’m a 
>>> little behind on current status of the discussion.  I hope that this 
>>> does not run directly contrary to the current state.
>>>
>>> Thanks,
>>> Peter
>>>
>>>
>>> _______________________________________________
>>> Policyreview mailing list
>>> Policyreview at cabforum.org
>>> https://cabforum.org/mailman/listinfo/policyreview
>>
>
>
>
> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org
> https://cabforum.org/mailman/listinfo/policyreview

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20170823/47357e02/attachment.html>

More information about the Policyreview mailing list