[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Attribute Certificate Policy??

To: "Christopher S. Francis" <chris.francis@xxxxxxxxxxxxxxxx>
Subject: RE: Attribute Certificate Policy??
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Wed, 06 Mar 2002 12:14:18 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <4655E16C8DB3D311A91A0050047A92E033B368@i71cepheus.cm-tm.uni-karlsruhe.de>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Chris:

Including a certificatePolicies extension in an AC is allowed by the PKIX AC profile, as long as it is marked non-critical. The profile says:

   An AC that has no extensions conforms to the profile; however,
   section 4.3 defines the extensions that MAY be used with this
   profile, and whether or not they may be marked critical. If any
   other critical extension is used, then the AC does not conform to
   this profile. However, if any other non-critical extension is used,
   then the AC does conform to this profile.

Russ

At 10:12 AM 3/6/2002 -0500, Christopher S. Francis wrote:

Thanks Zoltan.

I understand that the issuing authority must produce a CP and a CPS. My problem is, there seems to be no good place in an attribute certificate to put an OID that associates the AC with those policies and practices. In Public Key Certificates, you would put the OID in the certificatePolicies extension.

Some have suggested that we include a certificatePolicies extension in the AC, but I m not sure if we would still have a PKIX compliant AC if we did that. Perhaps we would as long as we made it non-critical.

Perhaps more importantly, would such an AC make it past the commonly available decoders that are out there&..

Chris

-----Original Message-----
From: Zoltán Nochta [mailto:Zoltan.Nochta@xxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, March 06, 2002 10:02 AM
To: 'Christopher S. Francis'
Subject: AW: Attribute Certificate Policy??

Hi,

such operational practices can can be a part of the CP and CPS of the issuing authority. However, I can't help you with a public CPS example that deals with ACs.

Cheers,

Zoltan

-----Ursprüngliche Nachricht-----
Von: Christopher S. Francis [mailto:chris.francis@xxxxxxxxxxxxxxxx]
Gesendet: Dienstag, 5. März 2002 23:41
An: Ietf-Pkix
Betreff: Attribute Certificate Policy??

Is there a defined mechanism to specify something analogous to a certificate policy in an attribute certificate?

In reviewing the PKIX AC profile, I see that the syntax of the attributes field is defined by the AttributeType OID, but rather than syntax per se, I m looking for a way to specify the particular set of policies, practices, and procedures that the attribute authority was operating under when it issued the attribute certificate. Seems like this would be important to relying parties.

X.509 includes an acceptablePrivilegePolicies extension that seems like it might to the job, but it was apparently profiled out by PKIX.

Chris Francis

References:
- RE: Attribute Certificate Policy??
  - From: Christopher S. Francis

Prev by Date: Re: Attribute Certificate Policy??
Next by Date: I-D ACTION:draft-ietf-pkix-pkalgs-supp-01.txt
Previous by thread: RE: Attribute Certificate Policy??
Next by thread: RE: Attribute Certificate Policy??
Index(es):
- Date
- Thread