[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Where should do I put a max amount in a X.509v3 certificat e?

To: ietf-pkix@xxxxxxx
Subject: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
From: "Tom Gindin" <tgindin@xxxxxxxxxx>
Date: Mon, 11 Mar 2002 12:21:22 -0500
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Sensitivity:

      The following contribution to this discussion is being posted on
behalf of Francois Rousseau.

---------------------- Forwarded by Tom Gindin/Watson/IBM on 03/11/2002
12:20 PM ---------------------------

Francois.Rousseau@xxxxxxxxxxxxx on 03/11/2002 11:48:30 AM

To:    Tom Gindin/Watson/IBM@xxxxx
cc:    pyee@xxxxxxxxxxxxxxx, tim.polk@xxxxxxxx, roberto@xxxxxxxx,
       Francois.Rousseau@xxxxxxxxxxxxx
Subject:    RE: Q: Where should do I put a max amount in a X.509v3
       certificat e?


Tom,

I totally agree with Peter's suggestion on this one since this was the
whole
reason for adding the Signing Certificate Attribute within the Enhanced
Security Services for S/MIME [RFC2634].  It was meant to bound an attribute
certificate to a signed transaction as required here by Roberto.  If the
authorized max amount will change more often than the private signing key
of
the individual, than attribute certificates are certainly more interesting
than the using a policy qualifier, private extension, or the subject
directory attribute.

Feel free to distribute this comment and your response on the mailing list
since I am not currently a member of the PKIX list, but only monitor its
status on the web site.

Regards,

Francois
---------------------------------
Francois Rousseau
IT Standards, Senior Advisor - CSE
Conseiller Superieur, Normes TI - CST
francois.rousseau@xxxxxxxxxxxxx
(613) 991-8364
Edward Drake Building
1500 Bronson, Ottawa, Ontario, K1G 3Z4


> From: "Tom Gindin" <tgindin@xxxxxxxxxx>
>
>      Peter:
>
>      Since this "purchase limit" is intended as a constraint on signed
> orders, and those are signed by PKC's rather than AC's, the constraint
> needs to go into the PKC.  I also don't think the syntax is very complex
> (currency designator and amount - the only choice you need to make is
> whether to encode amount as Numeric String, Integer, or Real).
> PolicyQualifier would make the most sense if it weren't for the conflict
> between the existing use of criticality in CertificatePolicies and its
use
> for this feature.  If PolicyQualifiers are to remain deprecated for uses
> like these, IMHO the only places for these to go are a new extension or
> SubjectAltName OTHER-NAME, and it really isn't a naming attribute.
>       Does profiling a new extension in new-part1 make sense?
>
>            Tom Gindin
>

Prev by Date: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
Next by Date: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
Previous by thread: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Next by thread: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
Index(es):
- Date
- Thread