[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Attribute Certificate Policy??

To: ietf-pkix@xxxxxxx
Subject: RE: Attribute Certificate Policy??
From: "David A. Cooper" <david.cooper@xxxxxxxx>
Date: Thu, 07 Mar 2002 15:53:13 -0500
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


I just want to point out that X.509 states that the certificatePolicies extension is only to be used in public-key certificates.

The first sentences in section 8 of X.509 state: "The certificate extensions defined in this clause are for use with public-key certificates, unless otherwise stated. Extensions for use with attribute certificates are defined in clause 15." There is nothing in section 8.2.2.6 on the certificatePolicies extension stating that the extension may be used in an attribute certificate, so its use is limited to public-key certificates.

I don't know what mechanisms, if any, are defined in X.509 to provide policy information about attribute certificates, but perhaps someone who is more familiar with that standard can provide some insight.

Dave

At 01:15 PM 3/7/02 -0500, Christopher S. Francis wrote:

>Yuriy,
>
>Hmm.... You certainly have more experience in this area than I do.  In
>actual practice what you say may indeed be the case.  I based my comments on
>what I read in X.509.
>
> >From X.509 section 8.2.2.6 on the certificate policies extension:
>
>"If the extension is flagged critical, it indicates that the certificate
>shall only be used for the purpose, and in accordance with the rules implied
>by one of the indicated certificate policies.  The rules of a particular
>policy may require the certificate-using system to process the qualifier
>value in a particular way.
>
>If the extension is flagged non-critical, use of this extension does not
>necessarily constrain use of the certificate to the policies listed.
>However, a certificate user may require a particular policy to be present in
>order to use the certificate (see 10).  Policy qualifiers may, at the option
>of the certificate user, be processed or ignored."
>
>Chris
>
>-----Original Message-----
>From: Yuriy Dzambasow [mailto:yuriy@xxxxxxxxxxxx]
>Sent: Thursday, March 07, 2002 12:29 PM
>To: Christopher S. Francis; Housley, Russ
>Cc: Ietf-Pkix
>Subject: RE: Attribute Certificate Policy??
>
>
>Chris:
>
>...snip...
>
> >
> > In some environments, I believe that an AA might in fact want to make the
> > certificatePolicies extension critical, especially if there is legal
> > liability involved.  By making the extension critical it says that relying
> > parties are required to accept the terms documented in the AA's CPS before
> > relying on the authorizations granted in the certificate.
> >
> > Chris
>
>Marking an extension critical has nothing to do with accepting terms in CPs
>and CPSs.  Things like relying party agreements address this issue.
>
>Yuriy
>
>...snip...

References:
- RE: Attribute Certificate Policy??
  - From: Yuriy Dzambasow
- RE: Attribute Certificate Policy??
  - From: Christopher S. Francis

Prev by Date: Re: POLICTCAL THREAD: Fw: Hello. looking 4 info on Poisson group.
Next by Date: Re: Attribute Certificate Policy??
Previous by thread: RE: Attribute Certificate Policy??
Next by thread: Re: Attribute Certificate Policy??
Index(es):
- Date
- Thread