[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Attribute Certificate Policy??

To: ietf-pkix@xxxxxxx
Subject: RE: Attribute Certificate Policy??
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Thu, 07 Mar 2002 16:26:24 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Summary:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-dpv-dpd-req-02.txt
7.1 seems seems insufficient to address PMI elements of remote
validation.

Note:

The topic of AA-cert policies and delegation path validation caused
me to review DPV requirements, for X.509 cert paths that contain
AA-issued privileges.(see X.509 13.2)

Though the PKIX profile of X.509 may not really address privileges that 
are represented in a public-key cert's subjectDirectoryAttribute extension,
the X.509-quality requirements for handling such a case of privlege 
management seem clear.

As described in X.509: "Privilege policy" rule execution is  required, when 
an  assertion of the privilege is made via subjectDirectoryAttribute, for
a cert issued by a combined CA/AA. The verifier (e.g. DPV server) MUST check
the delegation/certification path using each privilege-specific 
determination process, during (public-key) certificate path processing.
(X.509 16.3)

Ok, this means that a DPV server must also be able to handle this case,
and therefore "validation policy" must be defined to be include all 
"privilege policies" relevant to an evaluated cert chain. Hence
the definition in the IETF DPV/DPD requirements document
is somewhat insufficient, as it does not address this
X.509-imposed requirement.

Prev by Date: RE: Attribute Certificate Policy??
Next by Date: TSP interop test (NEC)
Previous by thread: RE: Attribute Certificate Policy??
Next by thread: RE: Attribute Certificate Policy??
Index(es):
- Date
- Thread