ietf-smime
[Top] [All Lists]

Re: ESS EquivalentLabel Proposal

1998-05-25 08:05:59
Francois,

Thank you for you response and the valuable information that you have
provided.  I would like to point out that the equivalentLabel attribute
would be used to express equivalencies between security label values applied
to a content, whereas the AC attribute that you mention conveys
equivalencies between users' authorizations.  Therefore, the two mechansims
serve different purposes.  Furthermore, the use of ACs is not widespread, so
AC attributes can currently only be used be a limited set of folks.  The use
of ACs needs to be discussed and defined by the PKIX WG.  Recommend that you
initiate a discussion on the PKIX WG list to begin defining the use of ACs.

- John Pawling


At 09:30 AM 5/25/98 -0400, Francois Rousseau wrote:
I would like to suggest that this mapping could eventually be accomplished
through a proposed extension for Attribute Certificates instead of an
authenticated attribute. The following document on these proposed attribute
certificate extensions contains an extension specifically for that purpose.

ftp://ftp.bull.com/pub/OSIdirectory/Helsinki97Output/21DIR4.DOC

"The attribute value mappings extension, which is for use in attribute
certificates issued to Attribute Authorities only, allows a certificate
issuer to indicate that, for the purposes of the user of a delegation path
containing this certificate, one of the issuer's attribute values can be
considered equivalent to a different attribute value used in the subject
Attribute Authority's domain."

As suggested by Jim Schaad, through using this attribute certificate
extension to convey this mapping is something that should be implemented in
policy verification code.

Francois Rousseau



<Prev in Thread] Current Thread [Next in Thread>