RE: Q: Where should do I put a max amount in a X.509v3 certificat e?

["Tom Gindin" <tgindin@xxxxxxxxxx>]

      Peter:

      Since this "purchase limit" is intended as a constraint on signed
orders, and those are signed by PKC's rather than AC's, the constraint
needs to go into the PKC.  I also don't think the syntax is very complex
(currency designator and amount - the only choice you need to make is
whether to encode amount as Numeric String, Integer, or Real).
PolicyQualifier would make the most sense if it weren't for the conflict
between the existing use of criticality in CertificatePolicies and its use
for this feature.  If PolicyQualifiers are to remain deprecated for uses
like these, IMHO the only places for these to go are a new extension or
SubjectAltName OTHER-NAME, and it really isn't a naming attribute.
      Does profiling a new extension in new-part1 make sense?

            Tom Gindin


"Yee, Peter" <pyee@xxxxxxxxxxxxxxx>@mail.imc.org on 03/08/2002 02:45:51 PM

Sent by:    owner-ietf-pkix@xxxxxxxxxxxx


To:    "'Tim Polk'" <tim.polk@xxxxxxxx>, Roberto Opazo Gazmuri
       <roberto@xxxxxxxx>
cc:    "PKIX (Grupo de la IETF)" <ietf-pkix@xxxxxxx>
Subject:    RE: Q: Where should do I put a max amount in a X.509v3
       certificat e?



Tim suggests using a policy qualifier, private extension, or
subject directory attribute.  (And OCSP, with which I really have
to disagree respectfully).  I'll offer another alternative: attribute
certificates.  These seem to be a natural fit and were suggested for
just such a purpose.

Sure, I'm glossing over the plethora of software that actually
supports ACs, but most of the other suggestions aren't implemented
either. :-)


-Peter Yee

pyee@xxxxxxxxxxxxxxx