[Top] [All Lists]

Re: Attribute Certificates -- love 'em or leave 'em?

1998-04-30 13:04:17
I agree with John.


At 06:47 PM 4/28/98 -0400, John Pawling wrote:

I agree with Dave Kemp that the X.509 Attribute Certificate (AC) syntax
should be left in the CertificateChoices ASN.1 syntax defined in the CMS
spec.  There are already major organizations who are planning to use the
X.509 AC syntax.  For example, the American National Standards Institute,
Accredited Standards Committee X9, plans to use the X.509 AC syntax in the
following specifications:

1) X9.57-199x, Public Key Cryptography For The Financial Services Industry:
Certificate Management

2) X9.45-199x: Enhanced Management Controls Using Digital Signatures and
Attribute Certificates

Recommend that the CERT I-D, Sec 2.3, last para should be changed as follows:

OLD: "Receiving agents SHOULD support X.509 attribute certificates.  At a
minimum, receiving agents SHOULD at least support the decoding of X.509
attribute certificates.  Please note that there is no requirement that the
same CA create both the public key X.509 Certificate and X.509 attribute
certificate(s) for a user.  Each organization's local policy will define how
X.509 attribute certificates are validated and used.  The implications of
performing multiple certification path validations should be considered when
defining local policy.  Exchanges between a subject and the CA dealing with
the generation of X.509 attribute certificates are outside the scope of this

NEW: "Receiving agents SHOULD support the decoding of X.509 ACs included in
CMS objects.  All other issues regarding the generation and use of X.509 ACs
are outside of the scope of this specification."

Recommend leaving the definition of AC in the Cert I-D.

John Pawling, jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.