Message info
To:Paul Hoffman From:Stephen Kent Subject:Re: [pkix] 5280 clarifications Date:Thu, 5 Apr 2012 15:33:33 -0400

At 12:11 PM -0700 4/5/12, Paul Hoffman wrote:
>On Apr 5, 2012, at 11:54 AM, Stephen Kent wrote:
>> Paul,
>> Thanskfor the clarifications of intent, and the challenge to
>>re-word the text to yield shorter sentences.
>> How about:
>> It is common practice to use the X.509/PKIX certificate format to
>>transmit a trust anchor or the public key of an end-entity. These
>>certificates are delivered via channels that are deemed secure by
>>the RPs that accept them. Typically such certificates do not
>>include a BasicConstraints extension that asserts the cA Boolean,
>>i.e., they are not marked as CA certificates. A certificate of
>>this sort is validated using the public key from the
>>subjectPublicKeyInfo field, i.e., no CA has signed the certificate.
>>These certificates cannot formally be called "self-signed
>>certificates" or "self-issued certificates" because they do not
>>follow the definition in the preceding paragraph. The use of such
>>certificates is outside the scope of both X.509 and this
>>specification, with regard to certificate path processing.
>Excellent, and certainly much better than mine.
>--Paul Hoffman

It was a team effort!

pkix mailing list