Hi David, I do not have any problem with what your are saying. I just want to see if others agree or disagree with you. Beside wanting to have a consistent text in X.509, ACs seems to have some interests. IEC TC 57/WG15 has issued a standard IEC 62351-8 on Role-based Access Control (RBAC) with different profiles, where one is using public-key certificates with a home-grown Role attribute in a home-grown extension. I am not sure I like it. The other one is using attribute certificates in a rather incomplete specification. I do not have the published document, but is trying to get hold of it without paying a fortune. RBAC seems to play an important role in smart grid security. ACs may be useful after all. Regards, Erik -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Chadwick Sent: Wednesday, April 09, 2014 10:43 AM To: x500standard@xxxxxxxxxxxxx Subject: [x500standard] Re: relying party or privilege verifier Hi Erik the definitions from the standard are as follows privilege verifier: An entity verifying certificates against a privilege policy. relying party: A user or agent that relies on the data in a certificate in making decisions. It does not take too much inference to work out that a privilege verifier is a subtype of relying party. But we could add a clarifying sentence to the definition of privilege verifier to say "A type or component of a relying party". regards David On 09/04/2014 08:07, Erik Andersen wrote: > Hi David, > > It is mostly a philosophical question whether privilege verifier is > part of relying party. I do not believe it is stated anywhere in > X.509. I believe an innocent reader will be confused when the whole > section talks about privilege verifier and suddenly see relying party as synonym. > > Regards, > > Erik > -----Original Message----- > From: x500standard-bounce@xxxxxxxxxxxxx > [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Chadwick > Sent: Tuesday, April 08, 2014 7:02 PM > To: x500standard@xxxxxxxxxxxxx > Subject: [x500standard] Re: relying party or privilege verifier > > Hi Erik > > they are the same entity, arent they? The privilege verifier is a > component of the relying party > > regards > > David > > > On 08/04/2014 15:45, Erik Andersen wrote: >> The second to the last paragraph of clause 13 of X.509 says: >> >> >> >> In both deployment models, the SOA issues attributes/privileges to >> subordinate AAs. The AAs then request the DS to issue a subset of >> these privilege attributes to other holders. In the second deployment >> model, the DS can check that an AA is delegating within the overall >> scope set by the SOA; in the first deployment model, the DS cannot >> check and the relying party will have to check that delegation was > performed correctly. >> >> >> >> I assume that it should say "privilege verifier" instead of "relying >> party". Right? >> >> >> >> Erik >> >> >> >> >> > ----- > www.x500standard.com: The central source for information on the X.500 > Directory Standard. > > ----- > www.x500standard.com: The central source for information on the X.500 Directory Standard. > > ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.