RE: I-D ACTION:draft-ietf-pkix-acrmf-01.txt

["Yee, Peter" <pyee@xxxxxxxxxxxxxxx>]

>I recognize that [ACPROF], the Internet Attribute Certificate Profile, does
>not currently recommend the use of delegation and AC chains as specified in
>the X.509 standard [X.509-2000], however I would hope that your Internet
>Draft [ACRMF] on Attribute Certificate Request Message Format will not
>preclude it.

Yes, I would call that an oversight on my part.  I have to admit that
sometimes I think of ACs within the limited scope of ACPROF.

>More specifically, to not preclude this I would suggest that Section 5.2 on
>the "OldCert ID Control" should not just be specifying the certificate to
be
>replaced, but in addition it should able to be used to specify the higher
>certificate in the AC chain from which privileges are delegated.  This
would
>then ensure that delegation through an AA is also supported in the future.

>What do you think?

Sounds feasible to me.  Do you have a proposed syntax, or would something
like
a pair of certificates (old certificate and "delegator" suffice)?  [I'm sure
Phil G. will pop in here now with some proper syntax. :-)]

							-Peter Yee
							pyee@xxxxxxxxxxxxxxx

>Feel free to distribute this comment and your response on the mailing list
>since I am not currently a member of the PKIX list, but only monitor its
>status on the web site.
>
>Best regards,
>
>Francois
>---------------------------------
>Francois Rousseau
>IT Standards, Senior Advisor - CSE
>Conseiller Superieur, Normes TI - CST
>francois.rousseau@xxxxxxxxxxxxx
>(613) 991-8364
>Edward Drake Building
>1500 Bronson, Ottawa, Ontario, K1G 3Z4