Policy Authority Control

"Andy Dowling" <andy.dowling@sse.ie> Thu, 11 November 1999 12:22 UTC

Message-ID: <020301bf2c3f$28194610$c42078c1@sse.ie>
From: Andy Dowling <andy.dowling@sse.ie>
To: "Stephen Farrell (Baltimore)" <stephen.farrell@baltimore.ie>, Russell Housley <housley@spyrus.com>
Cc: ietf-pkix@imc.org
Subject: Policy Authority Control
Date: Thu, 11 Nov 1999 12:20:23 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Precedence: bulk
Content-Transfer-Encoding: 7bit

Hi Folks,

Just a note about the use of PolicyAuthority (PA) in the IETFAttrSyntax.
At present, it seems possible for a badly-behaved AA to issue attributes
using an arbitrary PA. Whilst the issuing of attributes is controlled via
the AAControls
extension, the issuing of attributes from a specified PA is not controlled.

Perhaps including PA controls in the AAControls PKC extension would provide
a solution.
(This obviously depends on whether the AAControls mechanism is going to stay
or not)

Something along the lines of...

AAControls ::= SEQUENCE {
   pathLenConstraint...
   permittedAttrs...
   excludedAttrs...
   permitUnspecified...
   pAControls PAControls OPTIONAL
}

PAControls ::= SEQUENCE {
    permittedPAs [0]          GeneralNames OPTIONAL,
    excludedPAs  [1]          GeneralNames OPTIONAL,
    permitUnspecifiedPA  BOOLEAN DEFAULT TRUE,
}

It seems logical enough to place the PA controls in the AA controls
extension
(they serve very similar purposes). I don't need the need for placing it in
a separate
extension?? If PAControls is omitted from the AAControls extension, then an
AA can
claim to issue attributes for any PA.

Any comments would be appreciated.

Thanks,

Andy

-----
Andy Dowling
IT Security Consultant
SSE (A Siemens Company)
Fitzwilliam Court, Leeson Close,
Dublin 2, Ireland

E-Mail:  andy.dowling@sse.ie
Web: http://www.sse.ie
Phone: +353 1 216 2021
Fax:   +353 1 216 2082

Policy Authority Control Andy Dowling