IETF Logo Mail Archive

Re: attributes in AC

Stephen Farrell <stephen.farrell@baltimore.ie> Tue, 17 April 2001 13:06 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA06798 for <pkix-archive@odin.ietf.org>; Tue, 17 Apr 2001 09:06:35 -0400 (EDT)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA12657; Tue, 17 Apr 2001 06:05:42 -0700 (PDT)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 17 Apr 2001 06:05:24 -0700
Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA12621 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 06:05:17 -0700 (PDT)
Received: by balinese.baltimore.ie; id OAA21739; Tue, 17 Apr 2001 14:05:17 +0100 (GMT/IST)
Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma021628; Tue, 17 Apr 01 14:04:39 +0100
Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T52f8f64ea40a99193515a@emeairlsw1.baltimore.com>; Tue, 17 Apr 2001 14:03:29 +0100
Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id OAA27620; Tue, 17 Apr 2001 14:07:47 +0100
Message-ID: <3ADC3F64.895C47B0@baltimore.ie>
Date: Tue, 17 Apr 2001 14:04:37 +0100
From: Stephen Farrell <stephen.farrell@baltimore.ie>
Reply-To: stephen.farrell@baltimore.ie
Organization: Baltimore Technologies Ltd.
X-Mailer: Mozilla 4.72 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp>
CC: ietf-pkix@imc.org
Subject: Re: attributes in AC
References: <20010410173741.DB73.ODAHARA@dsa.isl.ntt.co.jp>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 7bit

Slightly late response, but here it is...

Syntactically, the access identity attribute can't have the authInfo 
field present. This basically means that you should use the access
identity field if the relying party is willing to believe a straight
assertion from the AA about the holder's identity. In theory that 
should be enough, but it turns out that there are many applications
which still require a username & password to identify/authenticate
a user, so the service auth info attribute allows support for such
applications.

As an example of where this might apply, say you inegrate the AC
relying party code into a web server, with a set of web applications
being called from the web server. Now some of those applications
will simply accept a user identity passed from the web server, using
say the ssl client or holder field for identity, others will have their 
own concept of usernames (so you can use the access identity for those),
but still others will have their own username/password handling (so 
you can use service auth info and not bother the user with entry of
additional passwords).

Hope this makes it clearer,
Stephen.

Hideyuki Odahara wrote:
> 
> Please teach me the difference of the use of
> "Service Authentication Infomation" and "Access Identity"
> in Attribute Certificate, and how to use the "Access Identity"
> attribute if you have any concrete example.
> 
> It is described that "this is a different use to that intended
> for the svceAuthInfo attribute discribed in 4.4.1 above." at the
> page 19 in the internet-draft(draft-ietf-pkix-ac509prof).
> But there is no example what situation does it suit.
> 
> thanks
> 
> ----------
>   Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

v2.23.0 | Report a Bug | By Email