On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik <michael.woj...@microfocus.com> wrote: > > > From: Michael Leone [mailto:tur...@mike-leone.com] > > Sent: Wednesday, February 12, 2020 12:35 > > > Even though I used what might be the wrong terms, I'm sure you knew what I > > meant ... > > Sure. But PKIX, and X.509-based PKI more generally, are - not to mince words > - horrible. They're agonizingly complicated and confusing, and arguably > fundamentally broken in various respects. (See for example the issues raised > by the infamous "The OSI of a New Generation" presentation.)
I'm not sure how "infamous" it is, as I've never heard of it, even in passing. :-) > And here on the openssl-users list there are people with widely varying > experience with and understanding of these matters; and the list is archived > in various places, which means there's some chance someone will read these > notes years from now. Many of those people don't have the time to become > experts in PKI, and will want to be able to search for additional information > based on what they see here. Yeah, that would be me. :-) > So it's useful to try to be very precise in our terminology. You're right, of course. > > Often, for example, the cognoscenti will refer to a certificate's "purpose". > That's an ambiguous term. In context it might refer to Basic Constraints, or > Key Usage, or Extended Key Usage, or even the old Netscape Cert Type; it > might refer to something inferred from other attributes (if Subject DN is the > same as Issuer DN, then it's self-signed and possibly a root); or it might > refer to something particular to its PKI or application, and not actually an > attribute of the certificate at all. That's fine when we all understand what > we're talking about. On the list, however, it's best to be explicit: "EKU > should include TSL Web Server Authentication for this type of certificate" > and so forth. > > For some readers, using "CA" and "certificate" interchangeably could be very > confusing. > > So I'm not being pedantic just for its own sake (I can yell at the television > for that). Apologies if it came across that way. I get it. Sorry I snapped. No apologies needed on your side. -- Mike. Leone, <mailto:tur...@mike-leone.com> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos> This space reserved for future witticisms ...