RE: Attribute Certificate Policy??

To: "'Sharon Boeyen'" <sharon.boeyen@xxxxxxxxxxx>, Ietf-Pkix <ietf-pkix@xxxxxxx>
Subject: RE: Attribute Certificate Policy??
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Wed, 13 Mar 2002 12:41:14 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: RE: Attribute Certificate Policy??

Sharon,

I find your writing the clearest of any architect in PKIX, by far,

and always consistent with simple readings of the international

standards actually say. You always attempt to

adopt the model being specified, rather than contort language

via profiling to perhaps enable the international standards to addresses

something else. Whilst a standard is insufficient

if you have to ask an author/editor what it means, I seek

a clear opinion on one issue raised in your mail to PKIX

on the topic of attribute certificate policy and privilege

policies.

The opinion issue concerns the "acceptablePrivilegePolicies extension" which

must be absent in a conforming PKIX AC.

Question:

Does the X.509 standard mean that one should/may evaluate privilege assertions as valid (against

some privilege policys) in the ABSENCE of acceptablePrivilelge Policies?

-------------

Now I have a point of confusion (being a pretty ignorant soul who

has learned alot in the last week and is very

excited now with PMI given privilege policies) if a verfier

does indeed evaluate privilege policies:

Given your commentary on the authority model of SOA/AAs, and the absence

by design of an AA issuer's certification policy/practice, how does

one determine which privilege policies to apply?

Of is the ambiguity of privilege policy requirement there by design,

in the absence of acceptablePrivilegePolicy Extension: that is, its

a relying party matter to select the policies to be applied?