[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Where should do I put a max amount in a X.509v3 certificat e?

To: stephen.farrell@xxxxxxxxxxxx
Subject: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
From: "Tom Gindin" <tgindin@xxxxxxxxxx>
Date: Mon, 11 Mar 2002 12:19:52 -0500
Cc: "Yee, Peter" <pyee@xxxxxxxxxxxxxxx>, "'Tim Polk'" <tim.polk@xxxxxxxx>, Roberto Opazo Gazmuri <roberto@xxxxxxxx>, "PKIX (Grupo de la IETF)" <ietf-pkix@xxxxxxx>
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Sensitivity:


      If the signed document is formatted using CMS or PKCS#7, there is no
defined AA with authority to set a limit such as this, while there is a CA.
Francois Rousseau, in a separate communication which will be posted to the
group as well, points out that RFC 2634's signingCertificate attribute can
bind a signature to an AC.  I think that the optional nature of that
attribute leaves the PKC as a preferable location.  In view of Juergen
Brauckman's posting, there is certainly no reason for any new objects to be
defined in conflict with ETSI's definitions.  The only other issue I can
see is whether there is any reason for non-QC's to have a separate
extension to carry monetaryLimit without incorporating the qcStatements
extension.

            Tom Gindin

Stephen Farrell <stephen.farrell@xxxxxxxxxxxx> on 03/11/2002 09:10:08 AM

Please respond to stephen.farrell@xxxxxxxxxxxx

To:    Tom Gindin/Watson/IBM@xxxxx
cc:    "Yee, Peter" <pyee@xxxxxxxxxxxxxxx>, "'Tim Polk'"
       <tim.polk@xxxxxxxx>, Roberto Opazo Gazmuri <roberto@xxxxxxxx>, "PKIX
       (Grupo de la IETF)" <ietf-pkix@xxxxxxx>
Subject:    Re: Q: Where should do I put a max amount in a X.509v3
       certificat e?



Tom,

>       Since this "purchase limit" is intended as a constraint on signed
> orders, and those are signed by PKC's rather than AC's, the constraint
> needs to go into the PKC.

That's wrong (even ignoring the careless language). The requirement is
presumably that the amount is somehow attested to by an authority.
That doesn't distinguish an AC-based from a PKC-based solution.

>       Does profiling a new extension in new-part1 make sense?

IMO, No - and not until there'll be a *lot* of RP s/w that pays
attention.

Stephen.


--
____________________________________________________________
Stephen Farrell

Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com

Follow-Ups:
- RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
  - From: Michael Myers

Prev by Date: Re: Q: Where should do I put a max amount in a X.509v3 certificate?
Next by Date: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Previous by thread: Re: Q: Where should do I put a max amount in a X.509v3 certificate?
Next by thread: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Index(es):
- Date
- Thread