RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008

Note: This RFC has been updated by RFC 6818, RFC 8398, RFC 8399, RFC 9549

Errata ID: 7661
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Benjamin Strauss
Date Reported: 2023-09-28

Section 3.5 says:

      (g)  cross-certification:  Two CAs exchange information used in
           establishing a cross-certificate.  A cross-certificate is a
           certificate issued by one CA to another CA that contains a CA
           signature key used for issuing certificates.

It should say:

      (g)  cross-certification:  Two CAs exchange information used in
           establishing a cross-certificate.

Notes:

The removed sentence is factually inaccurate and misleading: "A cross-certificate is a certificate issued by one CA to another CA that contains a CA signature key used for issuing certificates."
A "signature key used for issuing certificates" would be a private key. A certificate simply does not contain a private key. A definition of "cross-certificate" for the purpose of this RFC is already provided in section 3.2, so there is no point in elaborating here.
(The definition given in section 3.2 conflicts with the narrower, and more generally used, definition given in RFC 4949, but that is beside the point.)

Report New Errata