[cabfpub] Terminology/Style question
pzb at amzn.com
Mon Apr 3 00:39:56 UTC 2017
I’m trying to draft a proposed revision to the BRs and ran into a terminology/style question.
Key Pair: a set of cryptographic keys, usable with an asymmetric key cryptographic algorithm, consisting of a Private Key, a Public Key, and associated parameters. For any given Private Key and parameter set, there exists exactly one associated Public Key.
A Certification Authority (CA) has a single Distinguished Name (DN) and one or more Key Pairs. Therefore a CA has at least one Private Key and at least one Public Key and may have multiple Private Keys and Public Keys.
Which of the following is preferred:
A Signature is created using a Private Key. (It is not created _by_ a Private Key.)
1A) A Certificate is issued by a CA when a Signature is created over a TBSCertificate with the Distinguished Name of a CA in the Issuer component using a Private Key of the CA.
1B) A Certificate is issued by a CA when a Signature is created over a TBSCertificate with the CA’s Distinguished Name in the Issuer component using the CA’s Private Key.
A Signature is the result of signing data using a Private Key. (It is not signed _by_ a Private Key.)
2A) A Certificate is issued by a CA when a TBSCertificate with the Distinguished Name of a CA in the Issuer component is signed using a Private Key of the CA.
2B) A Certificate is issued by a CA when a TBSCertificate with the CA’s Distinguished Name in the Issuer component is signed using the CA’s Private Key.
The difference been the A and B versions with whether or not to use a possessive noun with an inanimate object (the CA).
I would like to use one of these consistently and follow the style for other cases. Any one care to suggest which should be used?
 X.509 and RFC 5280 make the one to one mapping of CA and DN clear:
ITU-U X.509:2012 clause 7.2: "The value of serialNumber shall be unique for each public-key certificate issued by a given CA (i.e., the issuer name and serial number identify a unique public-key certificate). […] The issuer field shall hold the distinguished name of the CA that issued the public-key certificate.”
"NOTE 3 – The use of issuerUniqueIdentifier and the subjectUniqueIdentifier is deprecated. These fields were added because at one time there was some fear of the reuse of distinguished names.”
"A user may obtain one or more public-key certificates from one or more CAs. Each certificate bears the name of the CA which issued it."
RFC 5280 section 184.108.40.206: "The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).”
section 220.127.116.11: "The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field.”
 X.509 and RFC 5280 make it clear that a CA may have multiple keys:
ITU-U X.509:2012 clause 18.104.22.168: "It enables distinct keys used by the same CA to be distinguished (e.g., as key updating occurs)."
RFC 5280 section 22.214.171.124: This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover).
More information about the Public