>From: Steve Kent <kent(_at_)com(_dot_)bbn>
>Subject: Re: identifying attribute types
>Date: Wed, 24 Nov 93 12:30:44 -0500
I recently had forwarded to me a note
>from the last X.500 committee meeting which they reaffirmed that X.509
>certificates are designed for identification in support of
>authentication and that the inclusion of attributes to support other
>security services was actively discouraged. I wholeheartedly agree with
>this position and I think Peter was making a similar point.
However, we need to bear one incidental point in mind here, that 1422
certification policy may be used by other than PEM-protocols. That the
above philosophy is suitable for identity-based access control is not
in doubt, where the source of the ACLs and the enforcement function can
be trusted.
Now if we populate the Directory with dual-purpose PEM/Directory
certificates representing both users and system agents, I need, for
higher assurance access controls across the distributed Directory
services, to use rule-based controls by which I can be assured that a
common security policy is in place across all my entities communicating
though or directly using DSP.
So far, I have been unable to avoid maintaining one attribute in the
Name of the certificate subject which is used to associate that entity
with a particular access partition of the rule-base at each relay
entity, where the entity is authenticated to be member or given
authentication domain whose registration procedures can be trusted
to manage access domain partitioning.
Ive hedged this mechanism with PEM design intent by insisting that the
real DN is deducible from the subject Name by a simple algorithm, whilst
enabling a strongly bound partition/identity binding to be conveyed
(for an admittedly non-authentication function).
This is a bit off the secure e-mail track, but is part of considerable
on-going activity to attempt to re-apply the PEM trust semantics
globally, even though it is recognised that the access control
properties of end-to-end protocols like PEM and DAP versus those of
application relays used in the MTS and DSP require different
mechanisms.
I might argue that PEM is unaffected. That no authorization statments
are carried, only an authorization binding. That a dual certificate
infrastructure is avoided. That authorization certificates are not
needed. That relay applications can apply the PEM certificates. That we
avoid partitioning sensitive DSAs from the global fully _distributed_
Directory by our having used only openly-available mechanisms.
Now the massively summarized argument and rationale of the last
paragraphs may be flawed, technically? I am now asserting that what Bob
wants generically may be acceptable - in very highly controlled
circumstances.
Can PEM cope with this, without undermining the design concept?