98   Align terminology regarding trust anchor and root CA certificate

Created: 31 Jan 2025

Status: Approval (Editoral)

Part: Part 3 (2023, Edition 2)

Links:

Page: 27

Clause: 7.5.3

Paragraph: first

Issue

IEC 62351 uses sometimes the term root CA like in 7.5.3, but also in the description of several security events in A.3. It would be better to align with the X.509 terminology using trust anchor as more generic term.

Proposal

Proposal to replace the occurrences of root CA with trust anchor, to better align with X.509 and also with RFC 8446 (TLS 1.3). Note that RFC 5246 (TLS 1.2) still uses the term root CA.

In addition, as the term trust anchor in X.509 still allows a great degree of freedom, IEC 62351-3 should go beyond the definition in X.509 and be more restictive. Definition should be aligned within WG15.

Discussion Created Status
accepted as editorial improvement 18 Jun 25 Approval (Editoral)
Discussed during WG15 meeting in 06/2025 and agreed to be advanced as proposed.

Proposal to add the definition in clause 6.4.1 as it is mmore general and applies to TLS 1.2 and TLS 1.3 likewise.

see also attachement
16 Jun 25 Discussion (red)
Good catch, updated proposal:

In addition to the trust anchor definition in ITU-T X.509, clause 7.5, this specification narrows the definition by requiring that a trust anchor is a self-signed certificate of a Trusted CA that contains the Basic Constraint cA=true and supports the key usage of keyCertSign.

Based on that End entity certificates should not be used as trust anchors.
Pinning may be used to restrict the scope of trust anchors to specific intermediate certificates.
Moreover CertAVL should be used to explicitly trust end entity certificates.

Note: this text is probably to be put into IEC 62351-9 or into the intended revision of IEC 62351-10 as operational consideration for OT PKIs. 		22 May 25 Discussion (red)
In the second paragraph you still use the word "root CA certificate"
There is also a typo: exolitly 		22 May 25 Discussion (red)
currently discussed proposal:

In addition to the trust anchor definition in ITU-T X.509, clause 7.5, this specification narrows the definition by requiring that a trust anchor is a self-signed certificate of a Trusted CA that contains the Basic Constraint cA=true and supports the key usage of keyCertSign.

Based on that End entity certificates should not be used as trust anchors
Pinning may be used to restrict the scope of root CA certificates to specific intermediate certificates.
Moreover CertAVL should be used to exolitly trust end entity certificates.

Note: this text is probably to be put into IEC 62351-9 or into the intended revision of IEC 62351-10 as operational consideration for OT PKIs. 		05 Feb 25 Discussion (red)
change of term root CA certificate to trust anchor should be an editorial improvement to align terminology

Definition of trust anchor may require further specification 		31 Jan 25 Accepted

 

Privacy | Contact | Disclaimer

Tissue DB v. 25.7.7.1