[x500standard] SV: Re: Resend: Role extension

  • From: "Erik Andersen" <era@xxxxxxx>
  • To: <x500standard@xxxxxxxxxxxxx>, "SG17-Q11" <t13sg17q11@xxxxxxxxxxxxx>
  • Date: Mon, 31 Aug 2015 12:43:14 +0200

Hi David,

I know you are right. I just wanted to illustrate that our privilege model
for PKC is not particular well designed.

Kind regards,

Erik

-----Oprindelig meddelelse-----
Fra: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af David Chadwick
Sendt: 31 August 2015 11:30
Til: x500standard@xxxxxxxxxxxxx
Emne: [x500standard] Re: Resend: Role extension



On 31/08/2015 10:13, Erik Andersen wrote:

I never got a reaction to this:



---------------------------------------------------



If one instead of using the role attribute type define in X.509 uses
an extension specified for that purpose and thereby assigns privileges
to a public-key certificate without the use of the
subjectDirectoryAttributes extension, is this a violation of X.509?

No, because X.509 PKCs are infinitely extensible

Does it prevent the use of some
of the extensions defined in Section 3 otherwise only allowed if the
subjectDirectoryAttributes extension is included?



If an extension in Section 3 mandates the use of subjectDirectoryAttributes,
then if the latter is missing the extension should also be missing.

regards

David


It is not a theoretical question. IEC 62351-8 defines such a role
extension. As it published in 2011 and as it is a key smart grid
security specification, it is probably implemented in a lot of systems.
It will be used in the Danish grid (whether I like it or not).



Regards,



Erik





-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.

-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.

Other related posts:

  1. Home
  2. x500standard
  3. Archive
  4. 08-2015