From owner-spki@c2.net Fri May 28 07:18:16 1999 Received: from blacklodge.c2.net (blacklodge.c2.net [140.174.185.245]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id HAA00299; Fri, 28 May 1999 07:18:14 -0400 (EDT) Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id DAA13116 for spki-outgoing; Fri, 28 May 1999 03:26:47 -0700 (PDT) Message-Id: <199905281025.LAA02272@baboo.sse.ie> X-Mailer: exmh version 1.6.9 8/22/96 To: "Dale Gustafson" Cc: Stephen Kent , Terry Hayes , ietf-pkix@imc.org, spki@c2.net, farrell@baboo.sse.ie Subject: Re: X.509 ACs vs. SPKI? In-Reply-To: Your message of "Thu, 27 May 1999 13:33:38 CDT." <374D9002.6CD24788@datakey.com> MIME-Version: 1.0 Date: Fri, 28 May 1999 11:25:11 +0100 From: Stephen Farrell Content-Type: text/plain; charset=us-ascii Sender: owner-spki@c2.net Precedence: bulk Dale, (Different Steve here, but never mind:-) I hope that the ACs I-D does contain exactly that. I'd certainly be interested in your comments if it doesn't! The I-D's at: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-00.txt Regards, Stephen. > Steve, > > A couple of questions: > > 1) Has anyone described this AC Model in summary form ? > > 2) Is there an assumption that an AC "must always" contain a reference to an > x.509 ID-cert ? > > 3) Can an AC contain ... > > - a pointer to an ID-cert { Issuer DN, Serial Number, Key Hash } ? > - a reference to an ID-cert (ID-cert Hash) ? > - a full copy of an ID-cert ? > > 4) Is it a general and extensible model or something that can accomodate > selected access control applications only? > > Best Regards, > > Dale Gustafson > > --------------------- > Stephen Kent wrote: > > > Terry, > > > > >I believe that this is the point. The AC would be associated with the > > >key, not > > >with any specific certificate. Yes, that means there is no published > > >expiration > > >time for the key, no way to check revocation (except perhaps with the > > >keyholder), > > >and no way to associate a global name with it. The last time I checked, > > >it was > > >still possible to use key pairs without having a certificate associated > > >with them! > > >:) > > > > In the X.509 AC model, the key is extracted from a validated identity cert, > > and that cert does contain the management data about key lifetime, etc. > > It's just that the AC is used as an important input for rule-based (maybe > > role-based too) access control decisions, rather than just using the > > identity in the certificate. Putting a key hash in an AC does not make it > > into a SPKI cert :-). > > > > Steve >