[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Attribute Certificates and Privilege Policy
I concur with Denis. It seems entirely reasonable that an AA may want to
apply different levels of verification of the attributes presented in the
ACs that it issues.
Just as commercial CAs issue PK certificates under various policies,
charging higher prices for higher levels of assurance, an Attribute
Authority may want to issue ACs under various policies, with different
levels of assurance based on the level of verification of the asserted
attributes.
Chris
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
Behalf Of Denis Pinkas
Sent: Friday, March 15, 2002 12:50 PM
To: Sharon Boeyen
Cc: 'ietf-pkix@xxxxxxx'
Subject: Re: Attribute Certificates and Privilege Policy
Sharon,
Yes, this is indeed a very long e-mail. Mine will be shorter.
Shortly speaking, the "privilege policy" is the equivalent of a
"validation policy" (see the DPV requ. draft availmable from
http://www.imc.org/draft-ietf-pkix-dpv-dpd-req), but it is NOT
the equivalent of a certification policy.
You said: "In terms of 'why no certificate policy' - there was no need
identified for an equivalent".
For CAs there are different levels of verification of the identity presented
at the time of registration. This level is "visible" through the certificate
policy.
I do not see why we should not draw a parallel with attributes, where for
AAs there would be different levels of verification of the attributes
presented at the time of registration. This level would be "visible" through
the "attribute policy".
A validation policy (i.e. privilege policy using the ISO terminology) may
consider that some attribute policies are adequate and that some others are
not.
Otherwise, the single way to trust is to use the name of the AA.
If an AA supports different "attribute policies", it would have to change
its
name, each time. :-(
Thus I see a good reason to have an equivalent.
Regards,
Denis