[x500standard] Re: Resend: Role extension

• From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
• To: x500standard@xxxxxxxxxxxxx
• Date: Mon, 31 Aug 2015 10:29:56 +0100

On 31/08/2015 10:13, Erik Andersen wrote:

I never got a reaction to this:



---------------------------------------------------



If one instead of using the role attribute type define in X.509 uses an
extension specified for that purpose and thereby assigns privileges to a
public-key certificate without the use of the subjectDirectoryAttributes
extension, is this a violation of X.509?

No, because X.509 PKCs are infinitely extensible

Does it prevent the use of some
of the extensions defined in Section 3 otherwise only allowed if the
subjectDirectoryAttributes extension is included?

If an extension in Section 3 mandates the use of
subjectDirectoryAttributes, then if the latter is missing the extension
should also be missing.

regards

David

It is not a theoretical question. IEC 62351-8 defines such a role
extension. As it published in 2011 and as it is a key smart grid
security specification, it is probably implemented in a lot of systems.
It will be used in the Danish grid (whether I like it or not).



Regards,



Erik

-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.

• Follow-Ups:
  • [x500standard] SV: Re: Resend: Role extension
    • From: Erik Andersen

• References:
  • [x500standard] Resend: Role extension
    • From: Erik Andersen

Other related posts:

• » [x500standard] Resend: Role extension- Erik Andersen
• » [x500standard] Re: Resend: Role extension - David Chadwick

1. Home
2. x500standard
3. Archive
4. 08-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---