draft-ietf-wpkops-trustmodel-01.txt   draft-ietf-wpkops-trustmodel-02.txt 
Internet Engineering Task Force I. Barreira, Ed. Internet Engineering Task Force I. Barreira, Ed.
Internet-Draft Izenpe Internet-Draft Izenpe
Intended status: Best Current Practice B. Morton, Ed. Intended status: Best Current Practice B. Morton, Ed.
Expires: November 21, 2014 Entrust Expires: November 30, 2014 Entrust
May 20, 2014 May 29, 2014
Trust models of the Web PKI Trust models of the Web PKI
draft-ietf-wpkops-trustmodel-01 draft-ietf-wpkops-trustmodel-02
Abstract Abstract
This is one of a set of documents to define the operation of the Web This is one of a set of documents to define the operation of the Web
PKI. It describes the currently deployed Web PKI trust. PKI. It describes the currently deployed Web PKI trust.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 21, 2014. This Internet-Draft will expire on November 30, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 28 skipping to change at page 6, line 28
certificates are accepted by newer browsers and other browsers that certificates are accepted by newer browsers and other browsers that
can be updated in the field. As such newer CAs operate at a can be updated in the field. As such newer CAs operate at a
disadvantage to older CAs. disadvantage to older CAs.
The disadvantage can be addressed by having trust extended to the new The disadvantage can be addressed by having trust extended to the new
root certificate, by having the public key of the new root root certificate, by having the public key of the new root
certificate cross-signed by an older root CA which is already certificate cross-signed by an older root CA which is already
accepted in the older browsers. As the cross-certified root CA is accepted in the older browsers. As the cross-certified root CA is
also recognized directly by the root store provider, it operates in also recognized directly by the root store provider, it operates in
accordance with the requirements of that certificate policy to which accordance with the requirements of that certificate policy to which
the root CA conforms. , inIn addition, the cross-certified CA the root CA conforms. In addition, the cross-certified CA complies
complies to any requirements placed upon it by the contract between to any requirements placed upon it by the contract between it and the
it and the cross-certifying root CA. cross-certifying root CA.
3.2.2. Issuing CA is a third party to the root CA 3.2.2. Issuing CA is a third party to the root CA
An issuing CA may operate as a third party subordinate to the root An issuing CA may operate as a third party subordinate to the root
CA. The issuing CA's behaviour is governed by its contract with the CA. The issuing CA's behaviour is governed by its contract with the
root CA, which commonly stipulates adherence to the root store root CA, which commonly stipulates adherence to the root store
policy. Unlike the situation in section 3.2.1, the subordinate policy. Unlike the situation in section 3.2.1, the subordinate
issuing CA is not recognized independently by any relationship with issuing CA is not recognized independently by any relationship with
the root store provider. the root store provider.
skipping to change at page 10, line 33 skipping to change at page 10, line 33
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S. [RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
Wu, "Internet X.509 Public Key Infrastructure Certificate Wu, "Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework", RFC 3647, Policy and Certification Practices Framework", RFC 3647,
November 2003. November 2003.
Appendix A. Other references Appendix A. Other references
[BR-certs] - CA/Browser Forum, Baseline Requirements for the [BR-certs] - CA/Browser Forum, Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates. https:// Issuance and Management of Publicly-Trusted Certificates.
cabforum.org/baseline-requirements-documents/ https://cabforum.org/baseline-requirements-documents/
[Mozilla-CP] - Mozilla CA Certificate Policy. https:// [Mozilla-CP] - Mozilla CA Certificate Policy. https://www.mozilla
www.mozilla.org/projects/security/certs/policy/ .org/projects/security/certs/policy/
Authors' Addresses Authors' Addresses
Inigo Barreira (editor) Inigo Barreira (editor)
Izenpe Izenpe
Beato Tomas de Zumarraga 71, 1. 01008 Vitoria-Gasteiz. Spain Beato Tomas de Zumarraga 71, 1. 01008 Vitoria-Gasteiz. Spain
Phone: +34 945067705 Phone: +34 945067705
Email: i-barreira@izenpe.net Email: i-barreira@izenpe.net
Bruce Morton (editor) Bruce Morton (editor)
 End of changes. 6 change blocks. 
11 lines changed or deleted 11 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/