Re: AC profile - Policy Authority on the Role attribute

[Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>]

Hi Andy,

When I first looked at it, I thought we'd left this out simply
to make things easier, but since that didn't actually sound right,
I checked, and there is a real reason.

X.509 says: "The roleAuthority, if present, identifies the recognized 
authority that is responsible for issuing the role specification 
certificate"

And given that we have to be compatible with X.509 and don't want 
to complicate the profile by introducing "role specification 
certificates", I think we do have to mandate not using the
roleAuthority.

Regards,
Stephen.

Andy Dowling wrote:
> 
> section 4.4.5 of the ac profile document states the following:
> 
>    The roleAuthority field MUST NOT be used. The roleName field MUST be
>    present, and roleName MUST use the uniformResourceIdentifier CHOICE
>    of the GeneralName.
> 
> This means that we cannot define a policy authority for the role attribute!
> :-(
> Previously, where we used IETFAttrSyntax, we were able to qualify the
> attribute
> in this way.
> 
> Could we change the profile to allow the use of roleAuthority, i.e.:
> 
>    The roleAuthority field MAY be used to specify the issuing authority of
> the role attribute.
>    The roleName field MUST be
>    present, and roleName MUST use the uniformResourceIdentifier CHOICE
>    of the GeneralName.
> 
> Any comments?
> 
> Andy

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane,                    fax: +353 1 647 7499
Dublin 2.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com