RE: Attribute Certificate Policy??

["Christopher S. Francis" <chris.francis@xxxxxxxxxxxxxxxx>]

Yuriy,

Hmm.... You certainly have more experience in this area than I do.  In
actual practice what you say may indeed be the case.  I based my comments on
what I read in X.509.

>From X.509 section 8.2.2.6 on the certificate policies extension:

"If the extension is flagged critical, it indicates that the certificate
shall only be used for the purpose, and in accordance with the rules implied
by one of the indicated certificate policies.  The rules of a particular
policy may require the certificate-using system to process the qualifier
value in a particular way.

If the extension is flagged non-critical, use of this extension does not
necessarily constrain use of the certificate to the policies listed.
However, a certificate user may require a particular policy to be present in
order to use the certificate (see 10).  Policy qualifiers may, at the option
of the certificate user, be processed or ignored."

Chris

-----Original Message-----
From: Yuriy Dzambasow [mailto:yuriy@xxxxxxxxxxxx]
Sent: Thursday, March 07, 2002 12:29 PM
To: Christopher S. Francis; Housley, Russ
Cc: Ietf-Pkix
Subject: RE: Attribute Certificate Policy??


Chris:

...snip...

>
> In some environments, I believe that an AA might in fact want to make the
> certificatePolicies extension critical, especially if there is legal
> liability involved.  By making the extension critical it says that relying
> parties are required to accept the terms documented in the AA's CPS before
> relying on the authorizations granted in the certificate.
>
> Chris

Marking an extension critical has nothing to do with accepting terms in CPs
and CPSs.  Things like relying party agreements address this issue.

Yuriy

...snip...