| (I) An ordered sequence of public-key certificates (or a sequence
of public-key certificates followed by one attribute certificate)
that enables a certificate user to verify the signature on the
last certificate in the path, and thus enables the user to obtain
a certified public key (or certified attributes) of the entity
that is the subject of that last certificate. (See: certificate
validation, valid certificate.)
(O) "An ordered sequence of certificates of objects in the [X.500
Directory Information Tree] which, together with the public key of
the initial object in the path, can be processed to obtain that of
the final object in the path." [X509, R2527]
(C) The path is the "list of certificates needed to allow a
particular user to obtain the public key of another." [X509] The
list is "linked" in the sense that the digital signature of each
certificate (except the first) is verified by the public key
contained in the preceding certificate; i.e., the private key used
to sign a certificate and the public key contained in the
preceding certificate form a key pair owned by the entity that
signed.
(C) In the X.509 quotation in the previous "C" paragraph, the word
"particular" points out that a certification path that can be
validated by one certificate user might not be able to be
validated by another. That is because either the first certificate
should be a trusted certificate (it might be a root certificate)
or the signature on the first certificate should be verified by a
trusted key (it might be a root key), but such trust is defined
relative to each user, not absolutely for all users.
|
