On 31/08/2015 11:43, Erik Andersen wrote:
Hi David,
I know you are right. I just wanted to illustrate that our privilege model
for PKC is not particular well designed.
-----
Kind regards,
Erik
-----Oprindelig meddelelse-----
Fra: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af David Chadwick
Sendt: 31 August 2015 11:30
Til: x500standard@xxxxxxxxxxxxx
Emne: [x500standard] Re: Resend: Role extension
On 31/08/2015 10:13, Erik Andersen wrote:
I never got a reaction to this:
---------------------------------------------------
If one instead of using the role attribute type define in X.509 uses
an extension specified for that purpose and thereby assigns privileges
to a public-key certificate without the use of the
subjectDirectoryAttributes extension, is this a violation of X.509?
No, because X.509 PKCs are infinitely extensible
Does it prevent the use of some
of the extensions defined in Section 3 otherwise only allowed if the
subjectDirectoryAttributes extension is included?
If an extension in Section 3 mandates the use of subjectDirectoryAttributes,
then if the latter is missing the extension should also be missing.
regards
David
-----
It is not a theoretical question. IEC 62351-8 defines such a role
extension. As it published in 2011 and as it is a key smart grid
security specification, it is probably implemented in a lot of systems.
It will be used in the Danish grid (whether I like it or not).
Regards,
Erik
www.x500standard.com: The central source for information on the X.500
Directory Standard.
-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.