Re: Comments to PKIX AC profile
Russ Housley <rhousley@rsasecurity.com> Tue, 17 April 2001 20:18 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA15826 for <pkix-archive@odin.ietf.org>; Tue, 17 Apr 2001 16:18:54 -0400 (EDT)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA15292; Tue, 17 Apr 2001 13:18:12 -0700 (PDT)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 17 Apr 2001 13:18:08 -0700
Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA15257 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 13:18:06 -0700 (PDT)
Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 17 Apr 2001 20:15:29 UT
Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA23010; Tue, 17 Apr 2001 16:18:06 -0400 (EDT)
Message-Id: <5.0.1.4.2.20010417120305.01b21da0@exna07.securitydynamics.com>
X-Sender: rhousley@exna07.securitydynamics.com
X-Mailer: QUALCOMM Windows Eudora Version 5.0.1
Date: Tue, 17 Apr 2001 12:10:24 -0400
To: stephen.farrell@baltimore.ie
From: Russ Housley <rhousley@rsasecurity.com>
Subject: Re: Comments to PKIX AC profile
Cc: ietf-pkix@imc.org
In-Reply-To: <3ADC415C.CECBE1CB@baltimore.ie>
References: <0B95FB5619B3D411817E006008A59259692963@wfhqex06.gfgsi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Steve: I think that it is very important to align with the version 2 AC syntax in X.509-2000. Since we mandate the implementation of version 2 AC and the X.509-2000 version 1 AC syntax is not backward compatible with the original X.509-1997 AC syntax, I suggest that we drop the version 1 syntax from our document altogether. Does this approach raise concerns? Russ At 02:13 PM 4/17/2001 +0100, Stephen Farrell wrote: >Hi John, > >You're right about the EXPLICIT, but can't I just change the current >module to (the 509-2000 compatible) IMPLICIT tagging rather than add a >whole new module? (Maybe that's what you meant.) > >Same thing for clearance: I'll make the change you suggest. > >BTW: both of these break code, so anyone with code compliant to the >-06 I-D, who has a reason not to make the change should yell about >this now. > >Regards, >Stephen (who just hates sneaky tagging:-) > > >"Pawling, John" wrote: > > > > All, > > > > In a separate message, Stephen Henson reported an incompatibility between > > the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC > Profile > > for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509 > > Recommendation (4th Edition, Draft V7, 23 Feb 2001). > > The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS > EXPLICIT > > TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC > > syntax includes "DEFINITIONS IMPLICIT TAGS ::=". Recommend that the > PKIX AC > > Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e. > > produces the identical ASN.1 hex encoding) to that defined in the draft > 2000 > > X.509 Recommendation. This could be accomplished by moving the AC syntax > > definition (and component syntax definitions) from the existing Appendix B > > module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=". > > That is the strategy used in the draft 2000 X.509 Recommendation. > > > > Also, recommend that ac509prof-06 file should be changed so that the > > Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to > that > > defined in X.501. X.501 defines the Clearance attribute syntax using > > AUTOMATIC TAGS. The Clearance attribute syntax in the PKIX AC profile > > should be changed as follows to be consistent with X.501: > > > > Clearance ::= SEQUENCE > > { > > policyId > > [0] OBJECT IDENTIFIER, > > classList > > [1] ClassList DEFAULT {unclassified}, > > securityCategories > > [2] SET OF SecurityCategory OPTIONAL > > } > > > > =========================================== > > John Pawling, John.Pawling@GetronicsGov.com > > Getronics Government Solutions, LLC > > =========================================== > >-- >____________________________________________________________ >Stephen Farrell >Baltimore Technologies, tel: (direct line) +353 1 881 6716 >39 Parkgate Street, fax: +353 1 881 7000 >Dublin 8. mailto:stephen.farrell@baltimore.ie >Ireland http://www.baltimore.com
- Comments to PKIX AC profile Pawling, John
- Re: Comments to PKIX AC profile Stephen Farrell
- RE: Comments to PKIX AC profile Pawling, John
- Re: Comments to PKIX AC profile Russ Housley