[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AC509 Login Name

To: <stephen.farrell@xxxxxxxxxxxx>
Subject: RE: AC509 Login Name
From: "Nick Pope" <pope@xxxxxxxxxxx>
Date: Tue, 21 Dec 1999 17:30:18 -0000
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>

Thanks to Kensaku, Andy and Stephen for all their comments.

I don't think OTHER-NAME on its own meets my requirement.  This requires a
OBJECT (type) IDENTIFIER to be registered so that others can recognise the
type.

I do not want to use rfc822Name as this misuses the field and has the wrong
semantics associated with it.

We could :

a) register a new OTHER-NAME type (as has been done in the QC draft)with its
OBJECT IDENTIFIER
e.g. using ASN.1 93:
flatname OTHER-NAME ::= {
          UTF8String IDENTIFIED BY  id-on-flatname}
id-on-flatname OBJECT IDENTIFIER  ::=  {id-pkix-on ?}

b) use the FlatOrGeneralName syntax given below could be used.

Either of the above would suite me.  The implementor in me likes (b); the
structured designer in me prefers (a).

Nick


> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
> Sent: 21 December 1999 12:15
> To: Nick Pope
> Cc: ietf-pkix@imc.org
> Subject: Re: AC509 Login Name
>
>
>
> Hi Nick,
>
> > I am working on the use of attribute certificates for secure access to a
> > database, where the user's global identity authenticated using
> SSL/TLS needs
> > to be securely mapped to a local login name.
> >
> > I presume that the Access Identity, as defined in 4.5.2 of
> > <draft-ietf-pkix-ac509prof-01>, can be used for this function.
>
> That's the intent.
>
> > However, I cannot find an existing name form defined in X.509 for
> > GeneralNames which could be used for a local login name.
>
> Bit naughty, but what about using rfc822Name? It does map reasonably
> well in lots of cases so long as IA5String isn't a problem.
>
> > Could one be defined as part of the IETF attribute certificate profile?
> >
> > What syntax should this take?  A choice between UTF-8 and
> General Name would
> > be the simplest.
>
> So you mean you'd prefer something like:
>
>         SvceAuthInfo ::=    SEQUENCE {
>                 service   FlatOrGeneralName,
>                 ident     FlatOrGeneralName,
>                 authInfo  OCTET STRING OPTIONAL
>         }
>
>         FlatOrGeneralName ::= CHOICE {
>                 flat    UTF8String,
>                 gen     GeneralName
> 	}
>
> I wouldn't have a problem with this, if you're sure you can't
> use the rfc822 field (and I think I prefer the above to the use of
> otherName that Andy suggested). Anyone else?
>
> Regards,
> Stephen.
>
> --
> ____________________________________________________________
> Stephen Farrell
> Baltimore Technologies,   tel: (direct line) +353 1 647 7406
> 61 Fitzwilliam Lane,                    fax: +353 1 647 7499
> Dublin 2.                mailto:stephen.farrell@baltimore.ie
> Ireland                             http://www.baltimore.com
>

References:
- Re: AC509 Login Name
  - From: Stephen Farrell

Prev by Date: RE: Time-stamp server. TimePrecision info
Next by Date: RE: AC509 Login Name
Previous by thread: Re: AC509 Login Name
Next by thread: RE: AC509 Login Name
Index(es):
- Date
- Thread