RE: draft-turner-caclearanceconstraints-01.txt

["Santosh Chokhani" <SChokhani@cygnacom.com>]

Stefan,

I realize that a generic structure for security categories can not be
implemented.

I hope you see the point that without casting the security categories
more concretely, I can not provide more detailed pseudo-code than saying
that take a set theoretic intersection.

If the work item is taken up, we would definitely look at option of
casting the security categories structure concretely or giving couple of
examples for different structures. 

-----Original Message-----
From: Stefan Santesson [mailto:stefans@microsoft.com] 
Sent: Thursday, October 23, 2008 8:28 AM
To: Santosh Chokhani; ietf-pkix@imc.org
Subject: RE: draft-turner-caclearanceconstraints-01.txt

Santosh,

> One answer to your question will be that this can be sorted out during
> the comment period.

I have thought about that, but I would prefer not.
The reason is that this is a fundamental aspect of the standard and I
want to see that you can build a reasonable solution to a reasonable
problem before I would support to standardize it.

>
> But, specific answer to your question is that in all cases logical
> intersection of categories is computed.  Specific details beyond that
> will depend on how the categories are encoded.


I don't understand what you mean here. The current specification makes
clear that the intersection logic can change in any way for each Policy
ID.
There is no defined "default" logic and no way to tell if a PolicyID
alters this logic.
As such I can't write a code that can perform the fundamental
intersection logic of the protocol.
I would have to build a solution that allows every "user" to invoke
custom code for every PolicyID.

That to me is a too complex response to this problem, especially since I
don't think this problem should be handled in certificates at all.
And that if this would be done in certificates anyway, that we at least
should skip the constraints logic.

I miss the balance discussion. Writing a new standard comes with a cost.
We are potentially confusing the community with another specification.
We potentially promote making PKI more complex. We potentially promote
Certificates to be the right place to carry clearance information.

Just because something could be useful in some corner cases, does not
make it the right thing to standardize.



Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Santosh Chokhani
> Sent: den 22 oktober 2008 18:26
> To: ietf-pkix@imc.org
> Subject: RE: draft-turner-caclearanceconstraints-01.txt
>
>
> Stefan,
>
> One answer to your question will be that this can be sorted out during
> the comment period.
>
> But, specific answer to your question is that in all cases logical
> intersection of categories is computed.  Specific details beyond that
> will depend on how the categories are encoded.
>