ietf-smime
[Top] [All Lists]

RE: certificate and attribute certificate imported from PKIX or X .509

2001-03-22 15:37:30
All: Steve Henson is correct that the AttributeCertificate syntaxes are
different in the draft 2000 X.509 Recommendation and PKIX AC profile.  

Stephen Farrell: Recommend that the PKIX AC profile be changed to be
consistent with the draft 2000 X.509 Recommendation.

Another PKIX AC profile Issue: X.501 defines the Clearance attribute syntax
using AUTOMATIC TAGS.  The Clearance attribute syntax in the PKIX AC profile
should be changed as follows to be consistent with X.501:

Clearance ::= SEQUENCE
 {
     policyId
         [0] OBJECT IDENTIFIER,
     classList
         [1] ClassList DEFAULT {unclassified},
     securityCategories
         [2] SET OF SecurityCategory OPTIONAL
 }

===========================================
John Pawling, John(_dot_)Pawling(_at_)GetronicsGov(_dot_)com
Getronics Government Solutions, LLC
===========================================


-----Original Message-----
From: Dr S N Henson [mailto:drh(_at_)celocom(_dot_)com]
Sent: Thursday, March 22, 2001 4:33 PM
To: SMIME
Subject: Re: certificate and attribute certificate imported from PKIX or
X.509


"Pawling, John" wrote:

Sean,

The Certificate ASN.1 syntax definitions in the PKIX and X.509 specs are
equivalent (i.e. they produce identical hex ASN.1 encodings), so it
doesn't
matter to me which spec is referenced.

However, the AttributeCertificate syntax is an issue.  RFC 2630 imports
the
AttributeCertificate syntax from the 1997 X.509 Recommendation.  The
AttributeCertificate syntax defined in the draft 2000 X.509 Recommendation
(X.509_4thEditionDraftV7, 23 Feb 2001) and PKIX AC Profile
(draft-ietf-pkix-ac509prof-06.txt, 10 Jan 2001) is incompatible with the
AttributeCertificate syntax defined in the 1997 X.509 Recommendation.
Recommend that the son-of-RFC2630 and symkeydist ASN.1 modules should
import
the AttributeCertificate syntax defined in the draft 2000 X.509
Recommendation and PKIX AC Profile (again, it doesn't matter to me which
spec is referenced).


I'm trying to work out whether that statement implies that the draft2000
X.509 Recommendation and the PKIX AC profile are compatible :-)

I sent a query about that to the PKIX list without response a while ago.
There seems to be one (unintentional?) incompatibility at least. The
PKIX draft has in the ASN1 module (Appendix B):

DEFINITIONS EXPLICIT TAGS ::=

whereas the X509 2000 draft has:

DEFINITIONS IMPLICIT TAGS ::=

The 1997 X.509 recommendation apparently does not change the default
tagging which would mean it should be EXPLICIT.

I've only ever seen one example of an attribute certificate and that
used default EXPLICIT tagging but it was broken in another separate way.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: drh(_at_)celocom(_dot_)com PGP key: via homepage.