[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: X.509 ACs vs. SPKI?
Dale,
(Different Steve here, but never mind:-)
I hope that the ACs I-D does contain exactly that. I'd certainly
be interested in your comments if it doesn't!
The I-D's at:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-00.txt
Regards,
Stephen.
> Steve,
>
> A couple of questions:
>
> 1) Has anyone described this AC Model in summary form ?
>
> 2) Is there an assumption that an AC "must always" contain a reference to an
> x.509 ID-cert ?
>
> 3) Can an AC contain ...
>
> - a pointer to an ID-cert { Issuer DN, Serial Number, Key Hash } ?
> - a reference to an ID-cert (ID-cert Hash) ?
> - a full copy of an ID-cert ?
>
> 4) Is it a general and extensible model or something that can accomodate
> selected access control applications only?
>
> Best Regards,
>
> Dale Gustafson
>
> ---------------------
> Stephen Kent wrote:
>
> > Terry,
> >
> > >I believe that this is the point. The AC would be associated with the
> > >key, not
> > >with any specific certificate. Yes, that means there is no published
> > >expiration
> > >time for the key, no way to check revocation (except perhaps with the
> > >keyholder),
> > >and no way to associate a global name with it. The last time I checked,
> > >it was
> > >still possible to use key pairs without having a certificate associated
> > >with them!
> > >:)
> >
> > In the X.509 AC model, the key is extracted from a validated identity cert,
> > and that cert does contain the management data about key lifetime, etc.
> > It's just that the AC is used as an important input for rule-based (maybe
> > role-based too) access control decisions, rather than just using the
> > identity in the certificate. Putting a key hash in an AC does not make it
> > into a SPKI cert :-).
> >
> > Steve
>