[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Attribute Certificate Policy??
Russ,
An AA CPS would include many of the same things that would be present in a
CA's CPS. These would include things like: community and applicability for
the ACs issued, statements of liability, issuer/end-entity/relying party
obligations, restrictions on usage of the AC, technical security controls
for the AA's signing key, etc.
In some environments, I believe that an AA might in fact want to make the
certificatePolicies extension critical, especially if there is legal
liability involved. By making the extension critical it says that relying
parties are required to accept the terms documented in the AA's CPS before
relying on the authorizations granted in the certificate.
Chris
-----Original Message-----
From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Thursday, March 07, 2002 9:21 AM
To: Christopher S. Francis
Cc: Ietf-Pkix
Subject: RE: Attribute Certificate Policy??
Chris:
I think that certificatePolicies is the correct extension to use. The
profile does not need to be updated unless you think that there is a reason
to mark it critical.
What goes the the CP and CPS for an AA?
Russ
At 08:57 AM 3/7/2002 -0500, Christopher S. Francis wrote:
>Sure. I can pursue it. Since I don't spend a lot of time here, I'm not
>exactly sure what the appropriate process is, but what I have in mind is to
>do the following:
>
>1) Get some clarification from ANSI and whoever else has an opinion on
>whether X.509 offers an extension that is intended to be used to carry
>certificate policy information in attribute certificates. Perhaps
>certificatePolicies, perhaps acceptablePrivilegePolicies, perhaps they had
>something else in mind.
>2) Depending on what I find out, propose an update to the PKIX attribute
>certificate profile that includes an extension to ACs to hold policy
>information about the issuing authority.
>
>Based on your earlier responses, I understand that a certificatePolicies
>extension could be included in an AC as long as it is marked non-critical,
>but it that's only because *anything* can be included as an extension if
>it's marked non-critical. It seems to me there should be something
specific
>in the profile to address the issue of certificate policy.
>
>Chris
>-----Original Message-----
>From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
>Behalf Of Housley, Russ
>Sent: Wednesday, March 06, 2002 11:02 AM
>To: Christopher S. Francis
>Cc: Ietf-Pkix
>Subject: Re: Attribute Certificate Policy??
>
>
>Chris:
>
>I am not aware of any work in this area. You can take the lead.
>
>Russ
>
>
>At 05:41 PM 3/5/2002 -0500, Christopher S. Francis wrote:
>
> >Is there a defined mechanism to specify something analogous to a
> >certificate policy in an attribute certificate?
> >
> >
> >
> >In reviewing the PKIX AC profile, I see that the syntax of the attributes
> >field is defined by the AttributeType OID, but rather than syntax per se,
> >I m looking for a way to specify the particular set of policies,
> >practices, and procedures that the attribute authority was operating
under
> >when it issued the attribute certificate. Seems like this would be
> >important to relying parties.
> >
> >
> >
> >X.509 includes an acceptablePrivilegePolicies extension that seems like
it
> >might to the job, but it was apparently profiled out by PKIX.
> >
> >
> >
> >Chris Francis
> >
> >
> >
> >