[cabfcert_policy] Terminology alignment

Peter Bowen pzb at amzn.com
Sun Jun 18 09:57:16 MST 2017 

It was recently pointed out to me that WebTrust for CAs is based on ISO 21188.  ISO is in progress of revising this standard and has published revised version as a Draft International Standard (DIS).  This revision is called ISO/DIS 21188.

Unlikely many other reference documents, ISO/DIS 21188 clearly resolves the CA term. A Trust Services Provider (TSP) is a company or organization.  A TSP operates Certification Authorities.  The requirements in the standard usually start with the phrase “The CA shall”, so it is clear that this phrasing is not in conflict with these definitions.

Excerpts from ISO/DIS 21188, unmodified except to replace “financial institution” with “company”:

3 Terms and definitions

3.21 
certification authority 
CA 
entity (3.32) trusted by one or more entities to create, assign and revoke or hold public key certificates 

3.52 
relying party RP 
recipient of a certificate who acts in reliance on that certificate, digital signatures verified using that certificate, or both 

3.65 
trust services provider TSP 
approved organization (as determined by the contractual participants) providing trust services, through a number of certification authorities (3.21), to their customers who may act as subscribers or relying parties (3.52) 
NOTE A trust services provider may also provide certif icate validation services. 

5.2 What is PKI?

PKIs are a practical technical solution to the problems posed by open networks. [Companies] are becoming trust services providers (TSPs), to take advantage of the growing market for security and authentication in online communications. Relying parties, as recipients of information, use TSPs to validate certificates used to authenticate on-line communications. A TSP may be an entity providing one or more trusted services, e.g. a Certification Authority or a Validation Service. A TSP is a recognized authority trusted by one or more relying parties to create and sign certificates. A TSP may also revoke certificates it has created and issued. A TSP operates one or more certification authorities (CAs) whose core functions are certificate issuing, certificate distribution and certificate validation. Within a [company], a CA is not necessarily a business entity but may be a unit or a function providing CA functions that may be trusted by relying parties and subscribing parties. 

The [company] may act as a TSP issuing certificates to the public and permits validation of certificates in an open network environment. TSPs may operate under voluntary TSP accreditation schemes or within an indigenous regulatory framework. Typically, there is no formal contract between the subscriber's TSP and the relying party 

I apologize for missing the last couple of WG meetings, so I’m a little behind on current status of the discussion.  I hope that this does not run directly contrary to the current state.

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20170618/7b5ccd4e/attachment.html>

More information about the Policyreview mailing list