Re: Clearance & CA Clearance Constraints Cert Ext ID

[Russ Housley <housley@xxxxxxxxxxxx>]

David:

Experience trying to deploy clearance with SubjectDirectoryAttribute 
has proven to be quite difficult.  One issue is that CA clearance 
constraints impose limits on clearance values, which if carried in 
SubjectDirectoryAttributes impose limits on a single 
attribute.  Another concern is that one dos not want to make the 
SubjectDirectoryAttributes critical to ensure proper processing of 
the CA clearance constraints.

Russ

 At 05:37 PM 2/21/2008, David A. Cooper wrote:
> Russ Housley wrote:
> > It is important to me that the syntax for representing the 
> > clearance in a certificate and an attribute certificate are exactly the same.
> > RFC 3281 already specifies it for an attribute certificate.  There 
> > are folks who are going to put clearance information in a certificate.
> > I'd like them all to do it the same way, so that when policy 
> > permits, they can interoperate.
>
> Unfortunately, the current draft is working against this 
> goal.  There is already a mechanism defined in X.501 including 
> clearance information in a public key certificate.  X.501 defines 
> the clearance attribute, which (as X.501 notes) would be placed in 
> the subjectDirectoryAttributes extension when included in a public 
> key certificate.  This draft defines a new certificate extension 
> that uses the syntax and OID of the X.501 clearance 
> attribute.  Thus, there will be two ways defined for CAs to include 
> clearance information in public key certificates, even though both 
> use the same syntax.  If the goal is for everyone to encode this 
> information in public key certificates in the same way, then we 
> shouldn't base achieving that goal on the assumption that everyone 
> will ignore X.501 when determining how to encode an X.501 defined attribute.
>
> Dave