Re: Privilege policy (was Re: I-D ACTION:draft-ietf-pkix-acrmf-01.txt)
Steve Hanna <steve.hanna@sun.com> Tue, 12 March 2002 16:14 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25877 for <pkix-archive@lists.ietf.org>; Tue, 12 Mar 2002 11:14:22 -0500 (EST)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g2CFCbL06609 for ietf-pkix-bks; Tue, 12 Mar 2002 07:12:37 -0800 (PST)
Received: from kathmandu.sun.com (kathmandu.sun.com [192.18.98.36]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2CFCW406605 for <ietf-pkix@imc.org>; Tue, 12 Mar 2002 07:12:32 -0800 (PST)
Received: from sunlabs.East.Sun.COM ([129.148.75.250]) by kathmandu.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA26551; Tue, 12 Mar 2002 08:12:28 -0700 (MST)
Received: from sun.com (dhcp75-167 [129.148.75.167]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.2) with ESMTP id KAA00472; Tue, 12 Mar 2002 10:12:27 -0500 (EST)
Message-ID: <3C8E1A30.D100B515@sun.com>
Date: Tue, 12 Mar 2002 10:09:36 -0500
From: Steve Hanna <steve.hanna@sun.com>
X-Mailer: Mozilla 4.75 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Peter Williams <peterw@valicert.com>
CC: "'Yee, Peter'" <pyee@rsasecurity.com>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'Francois.Rousseau@CSE-CST.GC.CA'" <Francois.Rousseau@CSE-CST.GC.CA>
Subject: Re: Privilege policy (was Re: I-D ACTION:draft-ietf-pkix-acrmf-01.txt)
References: <613B3C619C9AD4118C4E00B0D03E7C3E01F4A524@polaris.valicert.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
There seems to be some ongoing confusion about privilege policy, as defined in X.509. Privilege policy determines whether the privileges of a privilege holder are sufficient. An access control list is one example of a privilege policy. Although ACPROF does not mention privilege policy, I believe that there's an unstated assumption that after an AC has been validated it may be used in access control decisions or for other purposes. It is at this point that privilege policy enters the picture. The only place in X.509 AC validation where privilege policy is involved in is where the acceptable privilege policies extension is present. In that case, the verifier must check that the OID for the privilege policy it's planning to use is included in the list of OIDs in the extension. However, ACPROF does not support this extension. Therefore, there is no need for it to worry about privilege policy. -Steve Peter Williams wrote: > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-09.txt > > describes a set of AC verification rules, when an AC chain > has one element. > > X.509 16.1 defines the "basic path processing" requirements > for processing "a single AC". X.509 16 is clear that 16.1 > is REQUIRED for the case of processing a single AC. > > Peter, a question (Q): What is the relationship between > "privilege policy" (as used in X.509 16.1) and ACPROF section > 5 "Attribute Certificate validation?" > > I dont believe profiles can remove the X.509 requirement > to follow X.509 16.1 when validating an AC. As ACPROF makes no > mention of privilege policy, we have to assume that > X.509 16.1 controls, and that conforming implementations > MUST implement the privilege policy enforcement > requirements. > > A reasonable answer to the question (Q) is that > "validating right-to-use" a privilege is not the same > thing as "validating an AC" - even though these two ideas > are intertwined in the international standard, section 16.1. > Hence, privilege policy matters fall outside the scope of ACPROF > and IETF. > > If this latter case is your thinking, then of course > designers of conforming implementations must > look to X509 for control when validating actual > privilege *assertion* at privilege "use" time. > > If we could clearup that ACPROF does not control > validation of privilege *assertion*, this would > be valuable. Privlege assertion within a lifetime > is of course what matters and what makes ACs > viable. Validating the privilege assertion > can of course be critically important to > the application's security policy. > > Peter. > > -----Original Message----- > From: Yee, Peter [mailto:pyee@rsasecurity.com] > Sent: Monday, March 11, 2002 2:23 PM > To: 'Francois.Rousseau@CSE-CST.GC.CA' > Cc: 'ietf-pkix@imc.org' > Subject: RE: I-D ACTION:draft-ietf-pkix-acrmf-01.txt > > >I recognize that [ACPROF], the Internet Attribute Certificate Profile, does > >not currently recommend the use of delegation and AC chains as specified in > >the X.509 standard [X.509-2000], however I would hope that your Internet > >Draft [ACRMF] on Attribute Certificate Request Message Format will not > >preclude it. > > Yes, I would call that an oversight on my part. I have to admit that > sometimes I think of ACs within the limited scope of ACPROF. >
- I-D ACTION:draft-ietf-pkix-acrmf-01.txt Internet-Drafts
- RE: I-D ACTION:draft-ietf-pkix-acrmf-01.txt Yee, Peter
- RE: I-D ACTION:draft-ietf-pkix-acrmf-01.txt Peter Williams
- Re: Privilege policy (was Re: I-D ACTION:draft-ie… Steve Hanna