[Top] [All Lists]

Re: Attribute Certificates -- love 'em or leave 'em?

1998-04-30 03:22:57

I think it'd be a mistake to leave in the 509 AttributeCertificate
syntax. The reason is that an AC itself is often not enough - there
may be a need for application/protocol specific additions, so that
the AC can be validated. This happens for example when an AC
is delegated. (Note - I'm not saying that some other AC syntax
should be used, just that you may need more than the AC to
prevent certain attacks.)

I'd suggest deleting the current option, and either replacing with
an octet hole, or with an understanding (and maybe text) that
AC's (and whatever else is needed) will be carried as unauth or
auth-attributes within CMS.