[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Where should do I put a max amount in a X.509v3 certificate?


At 04:00 PM 3/4/02 -0500, Stephen Kent wrote:

At 1:50 PM -0300 3/3/02, Roberto Opazo Gazmuri wrote:
IETF-PXIX:

I would like to ask the WG opinion about "the correct" place to indicate
that a certificate should not be used to validate electronic signatures for
a mount over a determined maximum.

Here we are delegating in de RP the responsibility of validating the
certificate content to see if there is a limit and I have not seen a good
place to put this information. We need to indicate:
1.- There is a general limit, not for a specific transaction type
2.- The mount of the limit
3.- The type of money in witch the mount is expressed

Is there a standard extension for that?

Thanks,

Opazo, Roberto (roberto@xxxxxxxx)
CEO - www.acepta.com
Certification Authority for Chile

There is no standard extension for conveying this info. One might use the policy ID field and policy qualifiers to represent this info in a machine readable fashion, but we have generally advised folks to not use the policy qualifier field.

Steve

Roberto,

The first question is "what is the range of uses for your certificates"? Will they only be used in context of the maximum dollar amount, or do you expect them to be used for S/MIME, TLS, or IPsec? Will they be used in a closed community - the same one that understands the maximum amount information - or will the community that uses the amount information be one of several that use the certificate?

As Steve has said, a standard method for representing the maximum amount hasn't been established. Several possibilities exist; each has a different impact on interoperability.

(1) It *could* be represented in a policy qualifier, although I must say I find that option personally distasteful. You could place the information in a private qualifier, or perhaps the user notice qualifier would work. Either way, you shouldn't expect other communities to accept that policy for their applications. If you want interoperability, you would need to place multiple policies in the certificate, and represent the amount information in the qualifier associated with one of the certificate policies.

(2) It *could* be represented in a private extension. As long as those extensions are non-critical, that shouldn't hinder interoperability.

(3) It might be possible to use the subject directory attributes extension to convey the information. (I am not sure if a maximum amount directory attribute has already been established.) Since it is always non-critical, this shouldn't impact interoperability.

Regardless of the path you choose, an off-the-shelf client will not understand the reliance information. To support the application(s) that will process this information, you may need to develop a custom plug-in.

The real question is "Should that information be in the certificate?" This kind of information may change over the life of a certificate.

IMHO, this is a really good place to use OCSP. You could use the OCSP response to convey the most current reliance amount to relying parties that need the information. Relying parties that don't care (e.g., an S/MIME client) can still use OCSP to get status information without requesting the maximum amount information.

Tim Polk