[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Where should do I put a max amount in a X.509v3 certificat e?

To: "'Tom Gindin '" <tgindin@xxxxxxxxxx>, "Yee, Peter" <pyee@xxxxxxxxxxxxxxx>
Subject: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Mon, 11 Mar 2002 14:56:51 -0500
Cc: "''Tim Polk' '" <tim.polk@xxxxxxxx>, "'Roberto Opazo Gazmuri '" <roberto@xxxxxxxx>, "'PKIX (Grupo de la IETF) '" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Money is very complicated.  We should not try to invent our own syntax to
specify monetary amounts.  I suggest we steal one that is already in use:

     -- CurrencyAmount specifies the currency and a monetary value.
     -- Currency codes are defined in ISO 4217.  The monetary value
     -- is: amount * (10 ** amtExp10), and the exponent MUST be the
     -- minor unit of currency specified in ISO 4217.

     CurrencyAmount  ::=  SEQUENCE  {
       currency             INTEGER (1..999),
       amount               INTEGER (0..MAX),
       amtExp10             INTEGER (0..MAX)  }

Russ 

-----Original Message-----
From: Tom Gindin
To: Yee, Peter
Cc: 'Tim Polk'; Roberto Opazo Gazmuri; PKIX (Grupo de la IETF)
Sent: 3/11/02 7:32 AM
Subject: RE: Q: Where should do I put a max amount in a X.509v3 certificat
e?



      Peter:

      Since this "purchase limit" is intended as a constraint on signed
orders, and those are signed by PKC's rather than AC's, the constraint
needs to go into the PKC.  I also don't think the syntax is very complex
(currency designator and amount - the only choice you need to make is
whether to encode amount as Numeric String, Integer, or Real).
PolicyQualifier would make the most sense if it weren't for the conflict
between the existing use of criticality in CertificatePolicies and its
use
for this feature.  If PolicyQualifiers are to remain deprecated for uses
like these, IMHO the only places for these to go are a new extension or
SubjectAltName OTHER-NAME, and it really isn't a naming attribute.
      Does profiling a new extension in new-part1 make sense?

            Tom Gindin


"Yee, Peter" <pyee@xxxxxxxxxxxxxxx>@mail.imc.org on 03/08/2002 02:45:51
PM

Sent by:    owner-ietf-pkix@xxxxxxxxxxxx


To:    "'Tim Polk'" <tim.polk@xxxxxxxx>, Roberto Opazo Gazmuri
       <roberto@xxxxxxxx>
cc:    "PKIX (Grupo de la IETF)" <ietf-pkix@xxxxxxx>
Subject:    RE: Q: Where should do I put a max amount in a X.509v3
       certificat e?



Tim suggests using a policy qualifier, private extension, or
subject directory attribute.  (And OCSP, with which I really have
to disagree respectfully).  I'll offer another alternative: attribute
certificates.  These seem to be a natural fit and were suggested for
just such a purpose.

Sure, I'm glossing over the plethora of software that actually
supports ACs, but most of the other suggestions aren't implemented
either. :-)


-Peter Yee

pyee@xxxxxxxxxxxxxxx

Prev by Date: Re: Q: Where should do I put a max amount in a X.509v3 certificate?
Next by Date: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Previous by thread: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
Next by thread: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Index(es):
- Date
- Thread