Policy Authority Control
"Andy Dowling" <andy.dowling@sse.ie> Thu, 11 November 1999 12:22 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA08189 for <pkix-archive@odin.ietf.org>; Thu, 11 Nov 1999 07:22:34 -0500 (EST)
Received: from localhost by ns.secondary.com (8.9.3/8.9.3) with SMTP id EAA18198; Thu, 11 Nov 1999 04:20:35 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 11 Nov 1999 04:20:30 -0800
Received: from mail0.sse.ie (mail0.sse.ie [193.120.32.47]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id EAA18170 for <ietf-pkix@imc.org>; Thu, 11 Nov 1999 04:20:26 -0800 (PST)
Received: from mail0.sse.ie (actually localhost) by mail0.sse.ie; Thu, 11 Nov 1999 12:22:36 +0000
Received: from bowsy (bowsy.sse.ie [193.120.32.196]) by mail0.sse.ie (8.9.1a/8.9.1) with SMTP id MAA25991; Thu, 11 Nov 1999 12:22:23 GMT
Message-ID: <020301bf2c3f$28194610$c42078c1@sse.ie>
From: Andy Dowling <andy.dowling@sse.ie>
To: "Stephen Farrell (Baltimore)" <stephen.farrell@baltimore.ie>, Russell Housley <housley@spyrus.com>
Cc: ietf-pkix@imc.org
Subject: Policy Authority Control
Date: Thu, 11 Nov 1999 12:20:23 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 7bit
Hi Folks, Just a note about the use of PolicyAuthority (PA) in the IETFAttrSyntax. At present, it seems possible for a badly-behaved AA to issue attributes using an arbitrary PA. Whilst the issuing of attributes is controlled via the AAControls extension, the issuing of attributes from a specified PA is not controlled. Perhaps including PA controls in the AAControls PKC extension would provide a solution. (This obviously depends on whether the AAControls mechanism is going to stay or not) Something along the lines of... AAControls ::= SEQUENCE { pathLenConstraint... permittedAttrs... excludedAttrs... permitUnspecified... pAControls PAControls OPTIONAL } PAControls ::= SEQUENCE { permittedPAs [0] GeneralNames OPTIONAL, excludedPAs [1] GeneralNames OPTIONAL, permitUnspecifiedPA BOOLEAN DEFAULT TRUE, } It seems logical enough to place the PA controls in the AA controls extension (they serve very similar purposes). I don't need the need for placing it in a separate extension?? If PAControls is omitted from the AAControls extension, then an AA can claim to issue attributes for any PA. Any comments would be appreciated. Thanks, Andy ----- Andy Dowling IT Security Consultant SSE (A Siemens Company) Fitzwilliam Court, Leeson Close, Dublin 2, Ireland E-Mail: andy.dowling@sse.ie Web: http://www.sse.ie Phone: +353 1 216 2021 Fax: +353 1 216 2082
- Policy Authority Control Andy Dowling