[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Attribute Certificate Policy??

To: "Christopher S. Francis" <chris.francis@xxxxxxxxxxxxxxxx>
Subject: RE: Attribute Certificate Policy??
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Thu, 07 Mar 2002 09:21:15 -0500
Cc: Ietf-Pkix <ietf-pkix@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Chris:

I think that certificatePolicies is the correct extension to use. The profile does not need to be updated unless you think that there is a reason to mark it critical.

What goes the the CP and CPS for an AA?

Russ

At 08:57 AM 3/7/2002 -0500, Christopher S. Francis wrote:

Sure.  I can pursue it.  Since I don't spend a lot of time here, I'm not
exactly sure what the appropriate process is, but what I have in mind is to
do the following:

1) Get some clarification from ANSI and whoever else has an opinion on
whether X.509 offers an extension that is intended to be used to carry
certificate policy information in attribute certificates.  Perhaps
certificatePolicies, perhaps acceptablePrivilegePolicies, perhaps they had
something else in mind.
2) Depending on what I find out, propose an update to the PKIX attribute
certificate profile that includes an extension to ACs to hold policy
information about the issuing authority.

Based on your earlier responses, I understand that a certificatePolicies
extension could be included in an AC as long as it is marked non-critical,
but it that's only because *anything* can be included as an extension if
it's marked non-critical.  It seems to me there should be something specific
in the profile to address the issue of certificate policy.

Chris
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
Behalf Of Housley, Russ
Sent: Wednesday, March 06, 2002 11:02 AM
To: Christopher S. Francis
Cc: Ietf-Pkix
Subject: Re: Attribute Certificate Policy??

Chris:

I am not aware of any work in this area. You can take the lead.

Russ

At 05:41 PM 3/5/2002 -0500, Christopher S. Francis wrote:

>Is there a defined mechanism to specify something analogous to a
>certificate policy in an attribute certificate?
>
>
>
>In reviewing the PKIX AC profile, I see that the syntax of the attributes
>field is defined by the AttributeType OID, but rather than syntax per se,
>I m looking for a way to specify the particular set of policies,
>practices, and procedures that the attribute authority was operating under
>when it issued the attribute certificate.  Seems like this would be
>important to relying parties.
>
>
>
>X.509 includes an acceptablePrivilegePolicies extension that seems like it
>might to the job, but it was apparently profiled out by PKIX.
>
>
>
>Chris Francis
>
>
>
>

Follow-Ups:
- RE: Attribute Certificate Policy??
  - From: Christopher S. Francis

References:
- Re: Attribute Certificate Policy??
  - From: Housley, Russ
- RE: Attribute Certificate Policy??
  - From: Christopher S. Francis

Prev by Date: Re: DPD/DPV reqmts: hash of the request
Next by Date: Re: Attribute Certificate Policy??
Previous by thread: RE: Attribute Certificate Policy??
Next by thread: RE: Attribute Certificate Policy??
Index(es):
- Date
- Thread