RE: Q: Where should do I put a max amount in a X.509v3 certificat e?

[Peter Williams <peterw@xxxxxxxxxxxx>]

In practice, people are modifying the PK-cert borne
authorization via the OCSP response, whose extension 
contains a form of (unsigned) AC. Once AC syntax becomes
popular, the trend will be to express the
privilege in AC syntax, rather than adhoc. For
now, folks need something that works. As cert
validation need not use any source of revocation
notices, one needs base authorization in
the PK cert, and a properly defined privilege
scheme that controls how one processes privileges
from two sources, one of which is the PK cert. (essentially, 
follow the X.509 rules on controlling privlege delegation, when
using the PK cert's subjectDirectoryAttributes for 
base privilege expression)

-----Original Message-----
From: Michael Myers [mailto:myers@xxxxxxxxxxxxx]
Sent: Monday, March 11, 2002 12:17 PM
To: Tom Gindin; stephen.farrell@xxxxxxxxxxxx
Cc: Yee, Peter; 'Tim Polk'; Roberto Opazo Gazmuri; PKIX (Grupo de la
IETF)
Subject: RE: Q: Where should do I put a max amount in a X.509v3
certificat e?



Tom, all:

Perhaps the following design principle is well understood but in
the context of this thread I think it bears repeating.  Namely,
the more authorization type attributes bound into a PK cert, the
more likely that PK cert will be revoked prior to its
expiration.  Hence ACs.

Mike