ietf-smime
[Top] [All Lists]

RE: Finding and retrieving applicable Attribute Certificate(s)

1998-05-06 13:13:01
Dave Wrote:

From: Francois Rousseau <f(_dot_)rousseau(_at_)adga(_dot_)ca>

This
implies that the signedInfo issuerAndSerialNumber field can NOT uniquely
identify both the public key certificate and the AC for each originator.


Either I am completely confused about the point you are trying to make,
or you are confused about the difference between an attribute authority
and the subject of an attribute certificate.

To clarify:

* a public key certificate is issued and signed by a CA.

* one or more attribute certificates are issued and signed by one or
   >more AAs, which in general are different from the CA.

* each AC refers to one or more base public key certificates
   >(the "subject") which, as you point out, can be referred to using
   >either a baseCertificateID or a subjectName.

* the CMS SignerInfo issuerAndSerialNumber field refers to one public
   >key certificate.


Therefore, since the issuerAndSerialNumber field refers to one public key
certificate, and all ACs have a subject (public key certificate),
then the issuerAndSerialNumber field uniquely determines both the
signer and all ACs which apply to the signer. 

I was confused too until I had someone else look at Mr. Rousseau message.  I 
believe what he's saying is that he doesn't want all ACs coming back from a 
directory, just the one(s) used for the message.  I believe this may be a 
concern if you didn't want someone to see every privilege that you had, in 
which case, the AA probably wouldn't want to put it in the directory,  I would 
send it along with the message.  The other case could be that you wouldn't want 
the end user or end application have to pick the correct AC.  He believes the 
directory should handle it.  Anyway, that's my guess.

I would like to comment on the following:

Because ACs offer a choice, the baseCertificateID associated with a public
key certificate is not the only approach to refer to its owner. Instead, an
AC can refer to its owner through its GeneralNames.

In the context of my last message discussing masquerading, GeneralNames won't 
protect you in a masquerade if the attacker knows the subject DNs of clients 
for a CA.

Capt Hayes