[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Showing Nationality in Cert
- To: "Vickers, Randal R" <vickersr@xxxxxxxxxxxx>, "PKIX Mailing List (E-mail)" <ietf-pkix@xxxxxxx>
- Subject: Re: Showing Nationality in Cert
- From: Bill Burr <william.burr@xxxxxxxx>
- Date: Mon, 19 Jul 1999 10:35:08 -0400
- Cc: "Flanigan, Bill" <flanigab@xxxxxxxxxxxx>, "Friedrichs, Paul" <FriedriP@xxxxxxxxxxxx>, "Nelson, Lee" <nelson2l@xxxxxxxxxxxx>, "Sam Schaen (E-mail)" <schaen@xxxxxxxxx>, "Jamil Nimeh (E-mail)" <nimeh@xxxxxxxxxxxxxxxxxxx>, simonetti_david@xxxxxxx, wfilli@xxxxxxxxxxxxxx
- In-reply-to: <>
Randall,
The recommendation of the Federal PKI Technical Working Group, embodied in
our Certificate and CRL profile is to use the subjectDirectoryAttributes
extension with a data structure called Partition Rule-Based Access Control
(PRBAC) to hold citizenship (and other possibly access control related
information such as security clearance). The PRBAC structure was developed
for the MISSI program, and is defined, I believe, in the SDN 702, 706 and
801 documents.
The logic for our recommendation was not particularly profound, but I think
it still holds: it would be good if everybody put this information in the
same place, and the MISSI folks had already designed a structure for it.
The current Federal Profile draft is online at:
<http://csrc.nist.gov/pki/twg/papers/twg-99-01.pdf>
Regards,
Bill Burr
At 10:40 AM 7/17/99 -0400, Vickers, Randal R wrote:
>I work with the US DoD PKI engineers at the Defense Information Systems
>Agency. Requirements from the Assistant Secretary of Defense for C3I state
>that we must show citizenship or nationality (symantics) in the cert. My
>question is what extension does anyone reccommend placing it in. We have
>looked at subjectDirectoryattribute and one of the extensions below
>subjectAlternatename. We are not locked into any one thing as long as it is
>standards based.
> Thanks
> Randal Vickers
>
>
Regards,
Bill Burr