[Top] [All Lists]

Re: Attribute Certificates -- love 'em or leave 'em?

1998-04-28 07:22:46
From: "Blake Ramsdell" <BlakeR(_at_)deming(_dot_)com>

Are attribute certificates getting axed out of the -cert draft?

I agree that attribute certs may be axed from the -cert draft, since
we have nothing in particular to say about their usage.

However, I would *not* recommend removing them from CMS, which allows
them to be contained in SignedData->certificates but does not require
implementations to do anything with them.

The syntax of AttributeCertificate is well defined in X.509; the
semantics is identical to including the attribute(s) from the AC in the
base cert(s) to which it refers.  The unknowns surrounding ACs are
management, not technical, issues (when are ACs advantageous to use,
and when does it make more sense to stuff all the attributes into a
regular certificate).

Leaving the capability of carrying ACs in the CMS syntax costs very
little, and offers valuable flexibility for applications which may
choose to use them.  Axe them from -cert, leave them in -cms.

Dave Kemp