Chris,
I'd be against the idea of proposing this as an update to the AC profile
for the following reasons:
- The profile is in the rfc editor's queue only awaiting son-of-2359 to
be processed and such an update would require a re-set back to WG last
call (a matter of months!)
- I don't believe that the use of policy OIDs in ACs is at all well
understood and therefore I'd argue to omit it from the profile (one
of the things we tried to do with the AC profile was to only include
suff that we were pretty sure could work)
- There may be entirely different policy considerations to address,
depending on the context for the use of ACs (e.g. supporting roles for
long-term signatures vs roles for access control).
So, while I'd welcome work starting on this - for both process and
technical reasons I believe the way to handle it is to write things up in
a separate I-D. At some point in the future (say if the AC profile were
being cycled at proposed standard), the two things could be merged if
appropriate.
Regards,
Stephen.
"Christopher S. Francis" wrote:
>
> Sure. I can pursue it. Since I don't spend a lot of time here, I'm not
> exactly sure what the appropriate process is, but what I have in mind
is to
> do the following:
>
> 1) Get some clarification from ANSI and whoever else has an opinion on
> whether X.509 offers an extension that is intended to be used to carry
> certificate policy information in attribute certificates. Perhaps
> certificatePolicies, perhaps acceptablePrivilegePolicies, perhaps they had
> something else in mind.
> 2) Depending on what I find out, propose an update to the PKIX attribute
> certificate profile that includes an extension to ACs to hold policy
> information about the issuing authority.
>
> Based on your earlier responses, I understand that a certificatePolicies
> extension could be included in an AC as long as it is marked non-critical,
> but it that's only because *anything* can be included as an extension if
> it's marked non-critical. It seems to me there should be something
specific
> in the profile to address the issue of certificate policy.
>
> Chris
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
> Behalf Of Housley, Russ
> Sent: Wednesday, March 06, 2002 11:02 AM
> To: Christopher S. Francis
> Cc: Ietf-Pkix
> Subject: Re: Attribute Certificate Policy??
>
> Chris:
>
> I am not aware of any work in this area. You can take the lead.
>
> Russ
>
> At 05:41 PM 3/5/2002 -0500, Christopher S. Francis wrote:
>
> >Is there a defined mechanism to specify something analogous to a
> >certificate policy in an attribute certificate?
> >
> >
> >
> >In reviewing the PKIX AC profile, I see that the syntax of the attributes
> >field is defined by the AttributeType OID, but rather than syntax per se,
> >I m looking for a way to specify the particular set of policies,
> >practices, and procedures that the attribute authority was operating
under
> >when it issued the attribute certificate. Seems like this would be
> >important to relying parties.
> >
> >
> >
> >X.509 includes an acceptablePrivilegePolicies extension that seems
like it
> >might to the job, but it was apparently profiled out by PKIX.
> >
> >
> >
> >Chris Francis
> >
> >
> >
> >
--
____________________________________________________________
Stephen Farrell
Baltimore Technologies, tel: (direct line) +353 1 881 6716
39 Parkgate Street, fax: +353 1 881 7000
Dublin 8. mailto:stephen.farrell@xxxxxxxxxxxx
Ireland http://www.baltimore.com