[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Attribute Certificate Policy??

All:

I have been following this thread over the past couple of days; many
interesting issues.

I plan to discuss with the full ABA Information Security Committee
leadership during our next call (they are copied on this email as well).
It's not something at which we have been actively looking, but it is
certainly something we could consider.

Regards,

R.
_______________________________ 
Randy V. Sabett, J.D., CISSP 
Cooley Godward LLP 
One Freedom Square, Reston Town Center 
11951 Freedom Drive 
Reston, VA  20190-5601 
Direct:         703.456.8137 
Main:           703.456.8000 
Cell:           703.597.6521 
Fax:            703.456.8100 
E-Mail: rsabett@xxxxxxxxxx 
http://www.cooley.com 
http://www.cooley.com/practice_and_people.ixe?section=Attorney+Biographies&i
d=SABETTRV
Broomfield * Kirkland * Menlo Park * Palo Alto * Reston * San Diego * San
Francisco 

-----Original Message-----
From: Housley, Russ
To: Christopher S. Francis
Cc: ietf-pkix@xxxxxxx; rsabett@xxxxxxxxxx
Sent: 3/7/2002 10:11 AM
Subject: Re: Attribute Certificate Policy??

Chris:

Perhaps we can get some of the American Bar Assoc people to comment on
the 
CP and CPS issues.  I suspect that we will need to go through an 
educational phase before we get any useful feedaback.  Perhaps they have

been looking at it and we are just unaware...

Russ

At 02:53 PM 3/7/2002 +0000, Stephen Farrell wrote:

>Chris,
>
>I'd be against the idea of proposing this as an update to the AC
profile
>for the following reasons:
>
>- The profile is in the rfc editor's queue only awaiting son-of-2359 to
>   be processed and such an update would require a re-set back to WG
last
>   call (a matter of months!)
>- I don't believe that the use of policy OIDs in ACs is at all well
>   understood and therefore I'd argue to omit it from the profile (one
>   of the things we tried to do with the AC profile was to only include
>   suff that we were pretty sure could work)
>- There may be entirely different policy considerations to address,
>   depending on the context for the use of ACs (e.g. supporting roles
for
>   long-term signatures vs roles for access control).
>
>So, while I'd welcome work starting on this - for both process and
>technical reasons I believe the way to handle it is to write things up
in
>a separate I-D. At some point in the future (say if the AC profile were
>being cycled at proposed standard), the two things could be merged if
>appropriate.
>
>Regards,
>Stephen.
>
>
>"Christopher S. Francis" wrote:
> >
> > Sure.  I can pursue it.  Since I don't spend a lot of time here, I'm
not
> > exactly sure what the appropriate process is, but what I have in
mind is to
> > do the following:
> >
> > 1) Get some clarification from ANSI and whoever else has an opinion
on
> > whether X.509 offers an extension that is intended to be used to
carry
> > certificate policy information in attribute certificates.  Perhaps
> > certificatePolicies, perhaps acceptablePrivilegePolicies, perhaps
they had
> > something else in mind.
> > 2) Depending on what I find out, propose an update to the PKIX
attribute
> > certificate profile that includes an extension to ACs to hold policy
> > information about the issuing authority.
> >
> > Based on your earlier responses, I understand that a
certificatePolicies
> > extension could be included in an AC as long as it is marked
non-critical,
> > but it that's only because *anything* can be included as an
extension if
> > it's marked non-critical.  It seems to me there should be something 
> specific
> > in the profile to address the issue of certificate policy.
> >
> > Chris
> > -----Original Message-----
> > From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
> > Behalf Of Housley, Russ
> > Sent: Wednesday, March 06, 2002 11:02 AM
> > To: Christopher S. Francis
> > Cc: Ietf-Pkix
> > Subject: Re: Attribute Certificate Policy??
> >
> > Chris:
> >
> > I am not aware of any work in this area.  You can take the lead.
> >
> > Russ
> >
> > At 05:41 PM 3/5/2002 -0500, Christopher S. Francis wrote:
> >
> > >Is there a defined mechanism to specify something analogous to a
> > >certificate policy in an attribute certificate?
> > >
> > >
> > >
> > >In reviewing the PKIX AC profile, I see that the syntax of the
attributes
> > >field is defined by the AttributeType OID, but rather than syntax
per se,
> > >I m looking for a way to specify the particular set of policies,
> > >practices, and procedures that the attribute authority was
operating under
> > >when it issued the attribute certificate.  Seems like this would be
> > >important to relying parties.
> > >
> > >
> > >
> > >X.509 includes an acceptablePrivilegePolicies extension that seems
like it
> > >might to the job, but it was apparently profiled out by PKIX.
> > >
> > >
> > >
> > >Chris Francis
> > >
> > >
> > >
> > >
>
>--
>____________________________________________________________
>Stephen Farrell
>Baltimore Technologies,   tel: (direct line) +353 1 881 6716
>39 Parkgate Street,                     fax: +353 1 881 7000
>Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
>Ireland                             http://www.baltimore.com

=======================================================
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message