Hi Stephen
you are an AD for the IETF so this is your constituency. Clearly one
would expect you to know what folks who attend IETF meetings want.
But Erik is the editor for X.509 so his constituency is somewhat
different to yours, so he is best placed to answer the motivation question.
I can tell you that ACs are not ubiquitously ignored. We still have over
a thousand downloads per year of our PERMIS opensource infrastructure,
with new people enrolling each month. (I have recently compiled a list
of the top 20 IP addresses of those requesting the software, and you
might be surprised at the answer).
FYI I have already offered to help Tim (yesterday)
regards
David
On 21/09/2013 17:07, Stephen Farrell wrote:
Hiya David,
On 09/21/2013 04:32 PM, David Chadwick wrote:
On 21/09/2013 13:48, Stephen Farrell wrote:
Not sure what the question is really, but I absolutely
do wonder why anyone would consider it a good plan to
change specs like x.509 apparently without there being
any implementers who want those changes.
Luckily, rfc 5280 has all you need anyway so its not
that important any more if x.509 changes.
Yes for PKCs, but it does not address Erik's point which is about ACs
He asked about ACs, I asked about motivation. Mine is
a real question btw, I really don't get why its useful
to keep messing with x.509, nor why folks want to do
that when no implementers afaik want them to. If you
know the answer, I'd love to hear it.
Also, Tim just sent a mail looking for editors in this
wg. Doing that would seem to me to be far more beneficial
to all interested in PKI.
As for ACs, rfc 5755 does the job there, but is afaik
almost ubiquitously ignored. In the 20 or so years
since I started working with attribute certs (*) every
single proposed use-case turned out to have a better
non-AC approach. But maybe I've just been (un)lucky;-)
Cheers,
S.
(*) They were called PACs back then, based on ETSI TR/46.
The x.509 flavour ACs were added some time later.
David
S
On 09/21/2013 01:42 PM, Tony Rutkowski wrote:
does anyone have any druthers here for
Erik who is trying to update the old
X.509 spec?
--tony
-------- Original Message --------
Subject: [T17Q11] Attribute certificate path
Date: Sat, 21 Sep 2013 14:10:20 +0200
From: Erik Andersen <[email protected]>
To: <[email protected]>
Hi Folks,
I noticed that 12.2 of X.509 talks about attribute certificate path.
However, the associated ASN.1 is a data type is called
AttributeCertificationPath. As we for public-key certificates talk about
certification path, it seems reasonable to use the term "attribute
certification path" rather that "attribute certificate path".
I also noticed that the ASN.1 indicates that the path is bottom up
rather top down:
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPath SEQUENCE OF ACPathData OPTIONAL,
... }
Please come back with comments.
Erik
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
