I think this draft represents interesting work in a valuable area. Consistent with Stephen Farrell's message to the TLS list on 20 August, I also believe that the TLS WG probably isn't the best-choice forum to progress this document (vs. draft-ietf-tls-attr-cert-01, which is TLS-focused), since a lot of the utility and usage of attribute certificates should desirably be application-independent. Pending determination of whether the document should live in TLS, PKIX (where this might nicely complement the base X.509 profile), or perhaps somewhere else, I'd like to point out a couple of content issues and questions which may warrant discussion: Given the statement in Sec. 4.4.1 that an attribute type which occurs in the attributes field must not also occur in the restrictions field, can there be an algorithmic way to determine which restrictions associate with which privileges? Per 4.4.3, the AC targeting approach defines a fairly involved mechanism which is effectively advisory: it's up to a target receiving an AC to determine whether or not it's one of the targets the initiator intended, either directly or indirectly via group membership. Is there consensus on the value of such controls if they're advisory rather than strongly preventing use by unintended delegates? --jl > ---------- > From: Internet-Drafts@xxxxxxxx[SMTP:Internet-Drafts@xxxxxxxx] > Reply To: IETF Transport Layer Security WG > Sent: Wednesday, September 23, 1998 10:43 AM > To: IETF Transport Layer Security WG > Cc: ietf-tls@xxxxxxxxxxxxx > Subject: I-D ACTION:draft-ietf-tls-ac509prof-00.txt > > <<...>> > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Transport Layer Security Working Group of > the IETF. > > Title : An Internet AttributeCertificate Profile > for Authorization > Author(s) : S. Farrell > Filename : draft-ietf-tls-ac509prof-00.txt > Pages : 11 > Date : 22-Sep-98 > > Authorization support is required for various Internet > protocols, for example, TLS, CMS and their consumers, > and others. The X.509 AttributeCertificate provides a > structure which can form the basis for such services > [X.509]. This specification defines two profiles (a > simple one and a 'full' one) for the use of X.509 > AttributeCertificates to provide such authorization > services. > > Internet-Drafts are available by anonymous FTP. Login with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-ietf-tls-ac509prof-00.txt". > A URL for the Internet-Draft is: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-ac509prof-00.txt > > Internet-Drafts directories are located at: > > Africa: ftp.is.co.za > > Europe: ftp.nordu.net > ftp.nis.garr.it > > Pacific Rim: munnari.oz.au > > US East Coast: ftp.ietf.org > > US West Coast: ftp.isi.edu > > Internet-Drafts are also available by mail. > > Send a message to: mailserv@xxxxxxxxx In the body type: > "FILE /internet-drafts/draft-ietf-tls-ac509prof-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. >
--- Begin Message ---
- To:
- Subject:
- Date: Fri, 2 Oct 1998 16:09:34 -0400
Attachment: ATT92257.txt
Description: Binary data
- <ftp://internet-drafts/>
- Transfer-mode: ftp.ietf.org
--- End Message ---