[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Attribute Cert Policies Rationale
Chris,
The complexity of PKI policy is not commensurate with the
number of arcs in a policy OID, but I guess we all know
that already.
And I take it that since you only disagree about the
desirability aspects, you acknowledge that this is not
necessary.
I could be somewhat rude and tell you where to stick
your policy OID...Into your RDN:-) But seriously, what's
the difference? That only needs another PKC per AA,
instead of new s/w per relying party and AA. Seems like
a no-brainer to me until your policies are such that
this doesn't work, something that I don't believe you've
shown so far.
Cheers,
Stephen.
"Christopher S. Francis" wrote:
>
> Thank you for your comments Stephen.
>
> ... snip
>
> The reason it isn't desirable is that AC usage is still almost
> non-existent, and adding yet more complexity is a very good way
> to ensure that things stay as they are.
>
> ... end snip
>
> I can't believe you feel adding an extension w/ an OID is complex compared
> to the other topics that regularly get discussed here :)).
>
> While I agree that AC usage is not widespread, as someone who is actually
> operating a commercial attribute authority, I must respectfully disagree.
> It is precisely because my company is trying to use attribute certificates
> for something real that this issue has come up. Not making changes to
> accommodate real-world experiences is a sure fire way to ensure that usage
> of ACs remains extremely limited.
>
> Chris
--
____________________________________________________________
Stephen Farrell
Baltimore Technologies, tel: (direct line) +353 1 881 6716
39 Parkgate Street, fax: +353 1 881 7000
Dublin 8. mailto:stephen.farrell@xxxxxxxxxxxx
Ireland http://www.baltimore.com