On Tuesday, January 06, 1998 6:15 AM, dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil
[SMTP:dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil] wrote:
This would have no mandatory effect on v2 user agents, but does enable
the enforcement of criticality in v3, and appears to be the simplest
fully compatible method of doing so.
I agree that this is fully compatible -- the question is whether or not
v2 user agents ignoring it is acceptable. If there aren't any
complaints about v2 clients ignoring it, then we can go ahead and draft
syntax for it:
CriticalAttribute ::= OBJECT IDENTIFIER
CriticalAttributes ::= SEQUENCE OF CriticalAttribute
Or more simply:
CriticalAttributes ::= SEQUENCE OF OBJECT IDENTIFIER
And the OID:
id-aa-criticalAttributes OBJECT IDENTIFIER ::= { id-aa 5 }
The proposed use that Phill had is interesting, but I wonder if there
are implications in the event that an authenticated attribute in a
message is in conflict with the capabilities of the signing certificate,
both of which may be marked critical. For instance:
Certificate has a critical extension that says "This certificate cannot
be used to sign contracts"
Message has a critical attribute that says "This is a signed contract"
Is this something to be concerned about?
Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060