[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Where should do I put a max amount in a X.509v3 certificat e?

To: <stephen.farrell@xxxxxxxxxxxx>, <Lynn.Wheeler@xxxxxxxxxxxxx>
Subject: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Mon, 11 Mar 2002 22:24:43 +0100
Cc: "PKIX \(Grupo de la IETF\)" <ietf-pkix@xxxxxxx>, <owner-ietf-pkix@xxxxxxxxxxxx>, "Yee, Peter" <pyee@xxxxxxxxxxxxxxx>, "Roberto Opazo Gazmuri" <roberto@xxxxxxxx>, "Tom Gindin" <tgindin@xxxxxxxxxx>, "'Tim Polk'" <tim.polk@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Lynn,
Your posting supports my general belief that it does not make much sense to put any
"information" in a PKC except for the bare-bones minimum needed to identify the entity.
This is why "employee certificates" is an equally problematic idea, as putting transaction
limits in certificates.  Employment data changes quickly, your identity does not.

Anders

----- Original Message -----
From: <lynn.wheeler@xxxxxxxxxxxxx>
To: <stephen.farrell@xxxxxxxxxxxx>
Cc: "PKIX (Grupo de la IETF)" <ietf-pkix@xxxxxxx>; <owner-ietf-pkix@xxxxxxxxxxxx>; "Yee, Peter" <pyee@xxxxxxxxxxxxxxx>; "Roberto
Opazo Gazmuri" <roberto@xxxxxxxx>; "Tom Gindin" <tgindin@xxxxxxxxxx>; "'Tim Polk'" <tim.polk@xxxxxxxx>
Sent: Monday, March 11, 2002 19:03
Subject: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?

I believe that the "purchase limit" idea was to emulate the "signing limit"
checks of, at least pre-80s (if not earlier) ... effectively having some
value to limit various kinds of fraud and exploits in an offline
transaction environment.

Sometime in the '60s, they started to discover these type of controls was
being circumvented by things like multiple operations ... and so started
the migration to online transactions that could support aggregation,
velocity, rate, etc. Moving to an online transaction paradigm in the '70s &
'80s  (real time, aggregation, velocity, rate, etc) started to make the
offline, credential "signing limit" paradigm redundant and superfulous.

stephen.farrell@xxxxxxxxxxxx on 3/11/2002 7:10 am wrote:

Tom,

>       Since this "purchase limit" is intended as a constraint on signed
> orders, and those are signed by PKC's rather than AC's, the constraint
> needs to go into the PKC.

That's wrong (even ignoring the careless language). The requirement is
presumably that the amount is somehow attested to by an authority.
That doesn't distinguish an AC-based from a PKC-based solution.

>       Does profiling a new extension in new-part1 make sense?

IMO, No - and not until there'll be a *lot* of RP s/w that pays
attention.

Stephen.

--
____________________________________________________________
Stephen Farrell
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com

References:
- Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
  - From: lynn . wheeler

Prev by Date: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Next by Date: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Previous by thread: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
Next by thread: RE: Q: Where should do I put a max amount in a X.509v3 certificat e?
Index(es):
- Date
- Thread