Comments to PKIX AC profile
"Pawling, John" <John.Pawling@GetronicsGov.com> Tue, 10 April 2001 14:18 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA16062 for <pkix-archive@odin.ietf.org>; Tue, 10 Apr 2001 10:18:28 -0400 (EDT)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id HAA28089; Tue, 10 Apr 2001 07:17:38 -0700 (PDT)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 10 Apr 2001 07:17:27 -0700
Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA28032 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 07:17:26 -0700 (PDT)
Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id <H95FXG6R>; Tue, 10 Apr 2001 10:18:24 -0400
Message-ID: <0B95FB5619B3D411817E006008A59259692963@wfhqex06.gfgsi.com>
From: "Pawling, John" <John.Pawling@GetronicsGov.com>
To: "ietf-pkix@imc. org (E-mail)" <ietf-pkix@imc.org>
Subject: Comments to PKIX AC profile
Date: Tue, 10 Apr 2001 10:18:17 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain; charset="iso-8859-1"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
All,
In a separate message, Stephen Henson reported an incompatibility between
the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC Profile
for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509
Recommendation (4th Edition, Draft V7, 23 Feb 2001).
The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS EXPLICIT
TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC
syntax includes "DEFINITIONS IMPLICIT TAGS ::=". Recommend that the PKIX AC
Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e.
produces the identical ASN.1 hex encoding) to that defined in the draft 2000
X.509 Recommendation. This could be accomplished by moving the AC syntax
definition (and component syntax definitions) from the existing Appendix B
module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=".
That is the strategy used in the draft 2000 X.509 Recommendation.
Also, recommend that ac509prof-06 file should be changed so that the
Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to that
defined in X.501. X.501 defines the Clearance attribute syntax using
AUTOMATIC TAGS. The Clearance attribute syntax in the PKIX AC profile
should be changed as follows to be consistent with X.501:
Clearance ::= SEQUENCE
{
policyId
[0] OBJECT IDENTIFIER,
classList
[1] ClassList DEFAULT {unclassified},
securityCategories
[2] SET OF SecurityCategory OPTIONAL
}
===========================================
John Pawling, John.Pawling@GetronicsGov.com
Getronics Government Solutions, LLC
===========================================
- Comments to PKIX AC profile Pawling, John
- Re: Comments to PKIX AC profile Stephen Farrell
- RE: Comments to PKIX AC profile Pawling, John
- Re: Comments to PKIX AC profile Russ Housley