[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Attribute Certificate Policy??

To: "'David A. Cooper'" <david.cooper@xxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: Attribute Certificate Policy??
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Thu, 07 Mar 2002 15:15:12 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Im not sure I agree with David Chadwick that
X.509 needs to be involved to address the
needs of AA cert issuing policies.

Why not?

Relying parties ARE REQUIRED by X.509 to obtain
privilege policy, when doing AA path processing.
AA path processing requires handling the privilege
policy-defined constraints.

"The privilege verifier must also determine whether or not the privileges
being asserted are sufficient for the context of
use. The privilege policy establishes the rules for making this
determination and includes specification of any
environmental variables that need to be considered. The privileges asserted,
including those resulting from the role
procedure in 16.2 and the delegation procedure in 16.3 and any relevant
environmental variables (e.g. time of day or
current account balance) are compared against the privilege policy to
determine whether or not they are sufficient for the
context of use."

Relying parties are also required to:
"ensure that the delegator was authorized to delegate the 
privilege they own and" However authorization checking is
not a part of "privilege policy", as far as I can tell
from what the standard actually states.

I see no reason why an SOA-defined privilege, whose verification
of assertion is subject to the X.509 delegation path processing rules ,
cannot be 
defined as the "use of the rights and asumption of the oblitations defined
in 
an AA's CPS" I see no reason why the privilege assertion cannot be: 
cite a set of "AA-policy OIDs", where that set of OID  is just an 
SOA-defined privilege for the delegation path.

As with any privilege, under the privilege policy,
such an SOA_defined privilege would require handling under 
environment-specific processing rules, as defined by the SOA. These 
can be defined as: also evaluate a delgation path under the cert 
policy and cert policy mapping constraints rules used
in evaluating certification paths. 

I dont thinkg either X.509 or IETF needs to be involved (i.e.
we have to wait another 2 years) to do  this. It would be nice if IETF 
defined such a privilege type, but  nothing stops any SOA doing so. It 
doesnt seem to require an AA cert extension; a privilege definition
is sufficient.  

-----Original Message-----
From: David A. Cooper [mailto:david.cooper@xxxxxxxx]
Sent: Thursday, March 07, 2002 12:53 PM
To: ietf-pkix@xxxxxxx
Subject: RE: Attribute Certificate Policy??

I just want to point out that X.509 states that the certificatePolicies
extension is only to be used in public-key certificates.

The first sentences in section 8 of X.509 state: "The certificate extensions
defined in this clause are for use with public-key certificates, unless
otherwise stated. Extensions for use with attribute certificates are defined
in clause 15." There is nothing in section 8.2.2.6 on the
certificatePolicies extension stating that the extension may be used in an
attribute certificate, so its use is limited to public-key certificates.

I don't know what mechanisms, if any, are defined in X.509 to provide policy
information about attribute certificates, but perhaps someone who is more
familiar with that standard can provide some insight.

Dave

At 01:15 PM 3/7/02 -0500, Christopher S. Francis wrote:

>Yuriy,
>
>Hmm.... You certainly have more experience in this area than I do.  In
>actual practice what you say may indeed be the case.  I based my comments
on
>what I read in X.509.
>
> >From X.509 section 8.2.2.6 on the certificate policies extension:
>
>"If the extension is flagged critical, it indicates that the certificate
>shall only be used for the purpose, and in accordance with the rules
implied
>by one of the indicated certificate policies.  The rules of a particular
>policy may require the certificate-using system to process the qualifier
>value in a particular way.
>
>If the extension is flagged non-critical, use of this extension does not
>necessarily constrain use of the certificate to the policies listed.
>However, a certificate user may require a particular policy to be present
in
>order to use the certificate (see 10).  Policy qualifiers may, at the
option
>of the certificate user, be processed or ignored."
>
>Chris
>
>-----Original Message-----
>From: Yuriy Dzambasow [mailto:yuriy@xxxxxxxxxxxx]
>Sent: Thursday, March 07, 2002 12:29 PM
>To: Christopher S. Francis; Housley, Russ
>Cc: Ietf-Pkix
>Subject: RE: Attribute Certificate Policy??
>
>
>Chris:
>
>...snip...
>
> >
> > In some environments, I believe that an AA might in fact want to make
the
> > certificatePolicies extension critical, especially if there is legal
> > liability involved.  By making the extension critical it says that
relying
> > parties are required to accept the terms documented in the AA's CPS
before
> > relying on the authorizations granted in the certificate.
> >
> > Chris
>
>Marking an extension critical has nothing to do with accepting terms in CPs
>and CPSs.  Things like relying party agreements address this issue.
>
>Yuriy
>
>...snip...

Prev by Date: Re: Attribute Certificate Policy??
Next by Date: RE: Attribute Certificate Policy??
Previous by thread: RE: Attribute Certificate Policy??
Next by thread: RE: Attribute Certificate Policy??
Index(es):
- Date
- Thread