Francois:
It seems to me that the certificate (or attribute certificate) would
contain the authorizations held by a particular user. The security label
is different. The security label specifies the handling requirements for a
particular message. The proposed attribute states the label under
different policies that offer equal protection.
Russ
At 09:30 AM 5/25/98 -0400, Francois Rousseau wrote:
I would like to suggest that this mapping could eventually be accomplished
through a proposed extension for Attribute Certificates instead of an
authenticated attribute. The following document on these proposed attribute
certificate extensions contains an extension specifically for that purpose.
ftp://ftp.bull.com/pub/OSIdirectory/Helsinki97Output/21DIR4.DOC
"The attribute value mappings extension, which is for use in attribute
certificates issued to Attribute Authorities only, allows a certificate
issuer to indicate that, for the purposes of the user of a delegation path
containing this certificate, one of the issuer's attribute values can be
considered equivalent to a different attribute value used in the subject
Attribute Authority's domain."
As suggested by Jim Schaad, through using this attribute certificate
extension to convey this mapping is something that should be implemented in
policy verification code.
Francois Rousseau