RE: Q: Where should do I put a max amount in a X.509v3 certificat e?

["Yee, Peter" <pyee@xxxxxxxxxxxxxxx>]

Tom,
	I wasn't suggesting that complexity was the hangup in implementing
a purchase limit in either PKCs or ACs -- simply that most commercial
products don't deal with many "unusual" extensions.

	I'll also agree with others who note that tying a hard limit in
to an identity certificate is likely to result in expiration of these
certificates unless used in very constained cases -- those with limits
that don't change and where the authorization to use those limits matches
the lifetime of the identity certificate.  Those constraints seem
artificially
narrow to me.  Certainly, if you can find an application that works within
those limits (and others), then putting the purchase limit in the PKC has
its
merits.

						-Peter

>From: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
>Sent: Monday, March 11, 2002 4:33 AM
>Subject: RE: Q: Where should do I put a max amount in a X.509v3
certificate?
>
>
>
>      Peter:
>
>      Since this "purchase limit" is intended as a constraint on signed
>orders, and those are signed by PKC's rather than AC's, the constraint
>needs to go into the PKC.  I also don't think the syntax is very complex
>(currency designator and amount - the only choice you need to make is
>whether to encode amount as Numeric String, Integer, or Real).
>PolicyQualifier would make the most sense if it weren't for the conflict
>between the existing use of criticality in CertificatePolicies and its use
>for this feature.  If PolicyQualifiers are to remain deprecated for uses
>like these, IMHO the only places for these to go are a new extension or
>SubjectAltName OTHER-NAME, and it really isn't a naming attribute.
>      Does profiling a new extension in new-part1 make sense?
>
>            Tom Gindin>