IETF Logo Mail Archive

RE: Rationales for CA clearance constraints

"BRUMBY, Ian" <ian.brumby@baesystems.com> Mon, 27 October 2008 00:40 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 890AE3A6823 for <ietfarch-pkix-archive@core3.amsl.com>; Sun, 26 Oct 2008 17:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.706
X-Spam-Level:
X-Spam-Status: No, score=0.706 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIWhoHRhES+U for <ietfarch-pkix-archive@core3.amsl.com>; Sun, 26 Oct 2008 17:40:39 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 2C4E33A6862 for <pkix-archive@ietf.org>; Sun, 26 Oct 2008 17:40:37 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9R0EADs036048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 26 Oct 2008 17:14:10 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9R0EAwh036047; Sun, 26 Oct 2008 17:14:10 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from gateway.baea.com.au (gateway.baea.com.au [202.20.20.25]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9R0DwW9036012 for <ietf-pkix@imc.org>; Sun, 26 Oct 2008 17:14:09 -0700 (MST) (envelope-from ian.brumby@baesystems.com)
Received: from unknown (HELO bunya.baea.com.au) ([150.207.1.63]) by fep.baea.com.au with ESMTP; 27 Oct 2008 10:43:56 +1030
Received: from SBW3OWEX1.au.baesystems.com (exchange [150.207.4.37]) by bunya.baea.com.au (8.13.8+Sun/8.13.8) with ESMTP id m9R0DsRO020315 for <ietf-pkix@imc.org>; Mon, 27 Oct 2008 10:43:56 +1030 (CST)
Received: from brdw3ex1.au.baesystems.com ([150.207.68.10]) by SBW3OWEX1.au.baesystems.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 27 Oct 2008 10:43:55 +1030
Content-class: urn:content-classes:message
Subject: RE: Rationales for CA clearance constraints
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C937C8.E6008F09"
Date: Mon, 27 Oct 2008 11:13:54 +1100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesystems.com>
In-Reply-To: <200810251952.m9PJqCPD001487@bunya.baea.com.au>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Rationales for CA clearance constraints
Thread-Index: Ack22y4p+RR31pBzS9C9gMp+re9v7wA6ha9g
References: <9F11911AED01D24BAA1C2355723C3D32195A6F405C@EA-EXMSG-C332.europe.corp.microsoft.com> <200810251952.m9PJqCPD001487@bunya.baea.com.au>
From: "BRUMBY, Ian" <ian.brumby@baesystems.com>
To: ietf-pkix@imc.org
X-OriginalArrivalTime: 27 Oct 2008 00:13:55.0269 (UTC) FILETIME=[E63FAF50:01C937C8]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

My comments on the topic:

 

1.	The Clearance attribute is defined in the current X.501 (2001
and v6 draft) with an OID of 2.5.4.55. RFC 3281 (as referenced by
draft-turner-caclearanceconstraints-01.txt) defines it as 2.5.1.5.55. It
refers to X.501-1993 as the source of this definition. I've dug up the
1993 standard and can't find any reference to Clearance. If Clearance
Constraints are implemented, maybe it should be clarified if it
constrains X.501 (2003) Clearance attributes, if they are present in the
certificate, or specifically doesn't constrain them.

 

2.	With regards as to whether Clearance should be held in the
Certificate or the Directory:

	a.	I've heard concern that it shouldn't be held in either.
In a Prisoner of War scenario it potentially identifies the people with
the potential to have the most knowledge.
	b.	FYI - at least one Directory vendor is using the
Clearance attribute on the Certificate that is used to bind to the
Directory to control access to the Directory.

 

Ian Brumby

BAE Systems

 

"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

v2.23.0 | Report a Bug | By Email