| (I) A tree-structured (loop-free) topology of relationships among
CAs and the entities to whom the CAs issue public-key
certificates. (See: hierarchical PKI.)
(C) In this structure, one CA is the top CA, the highest level of
the hierarchy. (See: root, top CA.) The top CA may issue public-
key certificates to one or more additional CAs that form the
second highest level. Each of these CAs may issue certificates to
more CAs at the third highest level, and so on. The CAs at the
second-lowest of the hierarchy issue certificates only to non-CA
entities, called "end entities" that form the lowest level. (See:
end entity.) Thus, all certification paths begin at the top CA and
descend through zero or more levels of other CAs. All certificate
users base path validations on the top CA's public key.
(O) MISSI usage: A MISSI certification hierarchy has three or four
levels of CAs:
- A CA at the highest level, the top CA, is a "policy approving
authority".
- A CA at the second-highest level is a "policy creation
authority".
- A CA at the third-highest level is a local authority called a
"certification authority".
- A CA at the fourth-highest (optional) level is a "subordinate
certification authority".
(O) PEM usage: A PEM certification hierarchy has three levels of
CAs [R1422]:
- The highest level is the "Internet Policy Registration
Authority".
- A CA at the second-highest level is a "policy certification
authority".
- A CA at the third-highest level is a "certification authority".
(O) SET usage: A SET certification hierarchy has three or four
levels of CAs:
- The highest level is a "SET root CA".
- A CA at the second-highest level is a "brand certification
authority".
- A CA at the third-highest (optional) level is a "geopolitical
certification authority".
- A CA at the fourth-highest level is a "cardholder CA", a
"merchant CA", or a "payment gateway CA".
|
