|
Thanks
Zoltan. I
understand that the issuing authority must produce a CP and a CPS. My problem is, there seems to be no
good place in an attribute certificate to put an OID that associates the AC
with those policies and practices.
In Public Key Certificates, you would put the OID in the
certificatePolicies extension. Some
have suggested that we include a certificatePolicies extension in the AC, but I’m
not sure if we would still have a “PKIX compliant” AC if we did that. Perhaps we would as long as we made it
non-critical. Perhaps
more importantly, would such an AC make it past the commonly available decoders
that are out there….. Chris -----Original
Message----- Hi, such operational
practices can can be a part of the CP and CPS of the issuing authority.
However, I can't help you with a public CPS example that deals with ACs. Cheers, Zoltan -----Ursprüngliche Nachricht----- Is there a defined mechanism to specify something
analogous to a certificate policy in an attribute certificate? In reviewing the PKIX AC profile, I see that the
syntax of the attributes field is defined by the AttributeType OID, but rather
than syntax per se, I’m looking for a way to specify the particular set of policies,
practices, and procedures that the attribute authority was operating under when
it issued the attribute certificate.
Seems like this would be important to relying parties. X.509 includes an acceptablePrivilegePolicies
extension that seems like it might to the job, but it was apparently profiled
out by PKIX. Chris Francis |