[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XACML OID tag?

This is join to sound like heresy, but has anyone defined an OID tag for XACML, so that an XACML string could be included in a X.509 certificate?

Now, I fully expect to be assailed from both sides for this question ― one for mixing XML into a bastardized certificate format instead of using pure ASN.1 as God obviously intended, and the other for daring to pour holy XML into such an impure, defiled, and unclean vessel as an X.509 certificate.

So be it, and let the flames begin.

But I'm observing that conventional, identity-based PKI is suffering what the medical community calls a "failure to thrive", with the sole exception being SSL certificates issued by the TTP CAs, with VeriSign obviously having the mind share in that space.

Toolkits which would provide enterprises to issue their own certificates have so far failed to take off to any significant degree (ours included), with the consequence that some of those vendors, who once flew so high, are close to being delisted by the NASDAQ.

One of the reasons, I believe, is that the neither the public TTPs nor the toolkit vendors have so far adequately addressed the important issue of providing a cross-enterprise Privilege Management Infrastructure solution.  And now that they are feeling a very significant financial pinch, they may not have the wherewithal to solve that problem.

Maybe it's just the religion of the week (XML) creating an evangelistic fervor, but that's where the buzz seems to be these days.  And I'd rather drop some XACML into an X.509 certificate and make use of the existing tools, rather than create everything from scratch.  And yes, if X.509 attribute certificates had been better thought out and/or more widely implemented, maybe this wouldn't be necessary. And if pigs could whistle and cows could fly, then the world would be a much different place.

Anyway, does anyone have such an OID and a suggested way to use it?  If not, I guess I'll explore rolling my own, unless someone else wants to join in the fun.

Bob

Robert R. Jueneman
Security Architect

Novell, Inc -- the leading provider of Net services software




BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Bob Jueneman
TEL;WORK:01-801/861-7387
ORG:Novell Inc. -- the leading provider of Net services software;DS eBusiness Solutions
TEL;PREF;FAX:01-801/861-2522
EMAIL;WORK;PREF;NGW:BJUENEMAN@xxxxxxxxxx
N:Jueneman;Bob
TITLE:Consultant Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;;Novell, Inc.\n1800 South Novell Place\n;Provo;Utah;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A=
Novell, Inc.=0A=
1800 South Novell Place=0A=
=0A=
Provo, Utah  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A=
Novell, Inc.=0A=
1800 South Novell Place=0A=
=0A=
Provo, Utah  84606
END:VCARD

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Robert R. Jueneman
TEL;WORK:01-801/861-7387
ORG:Novell, Inc.;DS eBusiness Solutions
TEL;PREF;FAX:01-801/861-2522
EMAIL;WORK;PREF;NGW:BJUENEMAN@xxxxxxxxxx
N:Jueneman;Bob
TITLE:Consultant Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F331;122 E. 1700 South;Provo;Utah;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A=
PRV-F331=0A=
122 E. 1700 South=0A=
Provo, Utah  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A=
PRV-F331=0A=
122 E. 1700 South=0A=
Provo, Utah  84606
TEL;HOME:1-801-765-4378
TEL;CELL:1-801-361-1410
TEL;PREF:1-801-861-7387, 1-800-453-1267
END:VCARD