Re: Comments to PKIX AC profile

Russ Housley <rhousley@rsasecurity.com> Tue, 17 April 2001 20:18 UTC

Message-Id: <5.0.1.4.2.20010417120305.01b21da0@exna07.securitydynamics.com>
Date: Tue, 17 Apr 2001 12:10:24 -0400
To: stephen.farrell@baltimore.ie
From: Russ Housley <rhousley@rsasecurity.com>
Subject: Re: Comments to PKIX AC profile
Cc: ietf-pkix@imc.org
In-Reply-To: <3ADC415C.CECBE1CB@baltimore.ie>
References: <0B95FB5619B3D411817E006008A59259692963@wfhqex06.gfgsi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Precedence: bulk

Steve:

I think that it is very important to align with the version 2 AC syntax in 
X.509-2000.

Since we mandate the implementation of version 2 AC and the X.509-2000 
version 1 AC syntax is not backward compatible with the original X.509-1997 
AC syntax, I suggest that  we drop the version 1 syntax from our document 
altogether.

Does this approach raise concerns?

Russ

At 02:13 PM 4/17/2001 +0100, Stephen Farrell wrote:

>Hi John,
>
>You're right about the EXPLICIT, but can't I just change the current
>module to (the 509-2000 compatible) IMPLICIT tagging rather than add a
>whole new module? (Maybe that's what you meant.)
>
>Same thing for clearance: I'll make the change you suggest.
>
>BTW: both of these break code, so anyone with code compliant to the
>-06 I-D, who has a reason not to make the change should yell about
>this now.
>
>Regards,
>Stephen (who just hates sneaky tagging:-)
>
>
>"Pawling, John" wrote:
> >
> > All,
> >
> > In a separate message, Stephen Henson reported an incompatibility between
> > the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC 
> Profile
> > for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509
> > Recommendation (4th Edition, Draft V7, 23 Feb 2001).
> > The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS 
> EXPLICIT
> > TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC
> > syntax includes "DEFINITIONS IMPLICIT TAGS ::=".  Recommend that the 
> PKIX AC
> > Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e.
> > produces the identical ASN.1 hex encoding) to that defined in the draft 
> 2000
> > X.509 Recommendation.  This could be accomplished by moving the AC syntax
> > definition (and component syntax definitions) from the existing Appendix B
> > module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=".
> > That is the strategy used in the draft 2000 X.509 Recommendation.
> >
> > Also, recommend that ac509prof-06 file should be changed so that the
> > Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to 
> that
> > defined in X.501.  X.501 defines the Clearance attribute syntax using
> > AUTOMATIC TAGS.  The Clearance attribute syntax in the PKIX AC profile
> > should be changed as follows to be consistent with X.501:
> >
> > Clearance ::= SEQUENCE
> >   {
> >       policyId
> >           [0] OBJECT IDENTIFIER,
> >       classList
> >           [1] ClassList DEFAULT {unclassified},
> >       securityCategories
> >           [2] SET OF SecurityCategory OPTIONAL
> >   }
> >
> > ===========================================
> > John Pawling, John.Pawling@GetronicsGov.com
> > Getronics Government Solutions, LLC
> > ===========================================
>
>--
>____________________________________________________________
>Stephen Farrell
>Baltimore Technologies,   tel: (direct line) +353 1 881 6716
>39 Parkgate Street,                     fax: +353 1 881 7000
>Dublin 8.                mailto:stephen.farrell@baltimore.ie
>Ireland                             http://www.baltimore.com

Comments to PKIX AC profile Pawling, John
Re: Comments to PKIX AC profile Stephen Farrell
RE: Comments to PKIX AC profile Pawling, John
Re: Comments to PKIX AC profile Russ Housley