[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: XACML OID tag?
Bob,
Not sure if this is exactly what you're getting at,
but XML 1.0 markup is now a textual encoding of ASN.1
values based on ASN.1 notation (schema) and a new
part of the ASN.1 standards.
XER is the XML Encoding Rules of ASN.1, and CXER
is a canonical form of XER, in the same manner that
DER is a canonical encoding of BER. CXER is suitable
for the same types of operations. I'm told that tool
support is will be available from vendors in the
fourth quarter of this year.
The new ASN.1 XML Value Notation is an alternative
to the ASN.1 Basic Notation which will be much more
familiar and natural to use for many folks. The values
are equivalent to current ASN.1 abstract values. This
means that it will be possible to send compact binary
encodings over the wire, but to decode them into more
verbose XML markup. Alternatively, the same abstract
values can be transferred as XML markup.
See http://asn1.elibel.tm.fr/en/xml/index.htm for
more information. This page will be updated soon with
the meeting results and accomplishments of the last
two weeks in Bangalore India as soon as folks recover
from travel.
There will be several new OIDs defined in the ASN.1
standards; one to identify XML. Another being kicked
about will identify gZIPed encoded values. These OIDs
will be built into the standards.
Phil Griffin
Bob Jueneman wrote:
>
> This is join to sound like heresy, but has anyone defined an OID tag for XACML, so that an XACML string could be included in a X.509 certificate?
>
> Now, I fully expect to be assailed from both sides for this question ¯ one for mixing XML into a bastardized certificate format instead of using pure ASN.1 as God obviously intended, and the other for daring to pour holy XML into such an impure, defiled, and unclean vessel as an X.509 certificate.
>
> So be it, and let the flames begin.
>
> But I'm observing that conventional, identity-based PKI is suffering what the medical community calls a "failure to thrive", with the sole exception being SSL certificates issued by the TTP CAs, with VeriSign obviously having the mind share in that space.
>
> Toolkits which would provide enterprises to issue their own certificates have so far failed to take off to any significant degree (ours included), with the consequence that some of those vendors, who once flew so high, are close to being delisted by the NASDAQ.
>
> One of the reasons, I believe, is that the neither the public TTPs nor the toolkit vendors have so far adequately addressed the important issue of providing a cross-enterprise Privilege Management Infrastructure solution. And now that they are feeling a very significant financial pinch, they may not have the wherewithal to solve that problem.
>
> Maybe it's just the religion of the week (XML) creating an evangelistic fervor, but that's where the buzz seems to be these days. And I'd rather drop some XACML into an X.509 certificate and make use of the existing tools, rather than create everything from scratch. And yes, if X.509 attribute certificates had been better thought out and/or more widely implemented, maybe this wouldn't be necessary. And if pigs could whistle and cows could fly, then the world would be a much different place.
>
> Anyway, does anyone have such an OID and a suggested way to use it? If not, I guess I'll explore rolling my own, unless someone else wants to join in the fun.
>
> Bob
>
> Robert R. Jueneman
> Security Architect
>
> Novell, Inc -- the leading provider of Net services software
>
> ------------------------------------------------------------------------
>
> Bob Jueneman.vcfName: Bob Jueneman.vcf
> Type: Plain Text (text/plain)