[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 ACs vs. SPKI?

To: "Dale Gustafson" <daleg@datakey.com>
Subject: Re: X.509 ACs vs. SPKI?
From: Stephen Farrell <stephen.farrell@sse.ie>
Date: Fri, 28 May 1999 11:25:11 +0100
Cc: Stephen Kent <kent@bbn.com>, Terry Hayes <thayes@netscape.com>, ietf-pkix@imc.org, spki@c2.net, farrell@baboo.sse.ie
In-Reply-To: Your message of "Thu, 27 May 1999 13:33:38 CDT." <374D9002.6CD24788@datakey.com>
Sender: owner-spki@c2.net


Dale,

(Different Steve here, but never mind:-)

I hope that the ACs I-D does contain exactly that. I'd certainly
be interested in your comments if it doesn't!

The I-D's at:

http://www.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-00.txt

Regards,
Stephen.

> Steve,
> 
> A couple of questions:
> 
> 1) Has anyone described this AC Model in summary form ?
> 
> 2) Is there an assumption that an AC "must always" contain a reference to an
> x.509 ID-cert ?
> 
> 3) Can an AC contain ...
> 
>  - a pointer to an ID-cert { Issuer DN, Serial Number, Key Hash } ?
>  - a reference to an ID-cert (ID-cert Hash) ?
>  - a full copy of an ID-cert ?
> 
> 4) Is it a general and extensible model or something that can accomodate
> selected access control applications only?
> 
> Best Regards,
> 
> Dale Gustafson
> 
> ---------------------
> Stephen Kent wrote:
> 
> > Terry,
> >
> > >I believe that this is the point.  The AC would be associated with the
> > >key, not
> > >with any specific certificate.  Yes, that means there is no published
> > >expiration
> > >time for the key, no way to check revocation (except perhaps with the
> > >keyholder),
> > >and no way to associate a global name with it.  The last time I checked,
> > >it was
> > >still possible to use key pairs without having a certificate associated
> > >with them!
> > >:)
> >
> > In the X.509 AC model, the key is extracted from a validated identity cert,
> > and that cert does contain the management data about key lifetime, etc.
> > It's just that the AC is used as an important input for rule-based (maybe
> > role-based too) access control decisions, rather than just using the
> > identity in the certificate.  Putting a key hash in an AC does not make it
> > into a SPKI cert :-).
> >
> > Steve
>

Prev by Date: DN's (was Re: X.509 ACs vs. SPKI?)
Next by Date: Re: X.509 ACs vs. SPKI?
Prev by thread: DN's (was Re: X.509 ACs vs. SPKI?)
Next by thread: Re: X.509 ACs vs. SPKI?
Index(es):
- Main
- Thread