[cabfcert_policy] Terminology alignment

[Peter Bowen]

Given that TSP is in the ISO doc (which is not EU specific), I think using “Trust Service Provider” is fine.

> On Aug 23, 2017, at 3:36 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr> wrote:
> 
> On 19/6/2017 4:52 πμ, Peter Bowen wrote:
>> Moudrick,
>> 
>> This definition is also found in ETSI EN 319 411-1 V1.1.1.  It would seem that ETSI “punted” and is using CA to mean two things.  However it does leave open a path for alignment with ISO 21188: using the second option as the definition for CA.  Combining the ETSI and ISO definitions could look like:
>> 
>> Certification Authority (CA): a technical certificate generation service that is trusted by one or more entities to create, assign and revoke or hold public key certificates and is operated by a Trust Service Provider 
>> 
>> This would disambiguate the term.
>> 
>> Thanks,
>> Peter
> 
> Does anyone see any potential problems or concerns for using this definition for a "CA" (which is also IMO aligned with the way RFC5280 and RFC6960 uses the term "CA") and add the definition of a "Trust Service Provider" in the BRs as an organization that operates a "CA"? Would it be better if we used "CA Operator" instead of a "Trust Service Provider"? 
> 
> If the WG has no objections, we could forward this option to the larger forum. We can propose this to the larger forum and discuss if "Trust Service Provider" or "CA Operator" would be preferable.
> 
> 
> Dimitris.
> 
>> 
>>> On Jun 18, 2017, at 2:21 PM, Moudrick M. Dadashov <md at ssc.lt <mailto:md at ssc.lt>> wrote:
>>> 
>>> ETSI TR 119 001 V1.2.1 (2016-03) Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definitions and abbreviations:
>>> 
>>> certification authority: authority trusted by one or more users to create and assign public-key certificates
>>> 
>>> NOTE 1: Optionally the certification authority can create the subjects' keys.
>>> NOTE 2: A certification authority can be:
>>> 
>>> 1) a trust service provider that creates and assigns public key certificates; or
>>> 2) a technical certificate generation service that is used by a certification service provider that creates and assign public key certificates.
>>> 
>>> Thanks,
>>> M.D.
>>> 
>>> 
>>> On 6/18/2017 7:57 PM, Peter Bowen wrote:
>>>> It was recently pointed out to me that WebTrust for CAs is based on ISO 21188.  ISO is in progress of revising this standard and has published revised version as a Draft International Standard (DIS).  This revision is called ISO/DIS 21188.
>>>> 
>>>> Unlikely many other reference documents, ISO/DIS 21188 clearly resolves the CA term. A Trust Services Provider (TSP) is a company or organization.  A TSP operates Certification Authorities.  The requirements in the standard usually start with the phrase “The CA shall”, so it is clear that this phrasing is not in conflict with these definitions.
>>>> 
>>>> Excerpts from ISO/DIS 21188, unmodified except to replace “financial institution” with “company”:
>>>> 
>>>> 3 Terms and definitions
>>>> 
>>>> 3.21 
>>>> certification authority 
>>>> CA 
>>>> entity (3.32) trusted by one or more entities to create, assign and revoke or hold public key certificates 
>>>> 
>>>> 3.52 
>>>> relying party RP 
>>>> recipient of a certificate who acts in reliance on that certificate, digital signatures verified using that certificate, or both 
>>>> 
>>>> 3.65 
>>>> trust services provider TSP 
>>>> approved organization (as determined by the contractual participants) providing trust services, through a number of certification authorities (3.21), to their customers who may act as subscribers or relying parties (3.52) 
>>>> NOTE A trust services provider may also provide certif icate validation services. 
>>>> 
>>>> 5.2 What is PKI?
>>>> 
>>>> PKIs are a practical technical solution to the problems posed by open networks. [Companies] are becoming trust services providers (TSPs), to take advantage of the growing market for security and authentication in online communications. Relying parties, as recipients of information, use TSPs to validate certificates used to authenticate on-line communications. A TSP may be an entity providing one or more trusted services, e.g. a Certification Authority or a Validation Service. A TSP is a recognized authority trusted by one or more relying parties to create and sign certificates. A TSP may also revoke certificates it has created and issued. A TSP operates one or more certification authorities (CAs) whose core functions are certificate issuing, certificate distribution and certificate validation. Within a [company], a CA is not necessarily a business entity but may be a unit or a function providing CA functions that may be trusted by relying parties and subscribing parties. 
>>>> 
>>>> The [company] may act as a TSP issuing certificates to the public and permits validation of certificates in an open network environment. TSPs may operate under voluntary TSP accreditation schemes or within an indigenous regulatory framework. Typically, there is no formal contract between the subscriber's TSP and the relying party 
>>>> 
>>>> I apologize for missing the last couple of WG meetings, so I’m a little behind on current status of the discussion.  I hope that this does not run directly contrary to the current state.
>>>> 
>>>> Thanks,
>>>> Peter
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Policyreview mailing list
>>>> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
>>>> https://cabforum.org/mailman/listinfo/policyreview <https://cabforum.org/mailman/listinfo/policyreview>
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Policyreview mailing list
>> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
>> https://cabforum.org/mailman/listinfo/policyreview <https://cabforum.org/mailman/listinfo/policyreview>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20170823/d5ed1f7a/attachment-0001.html>