[x500standard] Re: relying party or privilege verifier
- From: "Erik Andersen" <era@xxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>, "SG17-Q11" <T13sg17q11@xxxxxxxxxxxxx>
- Date: Wed, 9 Apr 2014 13:24:24 +0200
Hi David,
I do not have any problem with what your are saying. I just want to see if
others agree or disagree with you.
Beside wanting to have a consistent text in X.509, ACs seems to have some
interests. IEC TC 57/WG15 has issued a standard IEC 62351-8 on Role-based
Access Control (RBAC) with different profiles, where one is using
public-key certificates with a home-grown Role attribute in a home-grown
extension. I am not sure I like it. The other one is using attribute
certificates in a rather incomplete specification. I do not have the
published document, but is trying to get hold of it without paying a
fortune.
RBAC seems to play an important role in smart grid security. ACs may be
useful after all.
Regards,
Erik
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Chadwick
Sent: Wednesday, April 09, 2014 10:43 AM
To: x500standard@xxxxxxxxxxxxx
Subject: [x500standard] Re: relying party or privilege verifier
Hi Erik
the definitions from the standard are as follows
privilege verifier: An entity verifying certificates against a privilege
policy.
relying party: A user or agent that relies on the data in a certificate in
making decisions.
It does not take too much inference to work out that a privilege verifier is
a subtype of relying party. But we could add a clarifying sentence to the
definition of privilege verifier to say "A type or component of a relying
party".
regards
David
On 09/04/2014 08:07, Erik Andersen wrote:
> Hi David,
>
> It is mostly a philosophical question whether privilege verifier is
> part of relying party. I do not believe it is stated anywhere in
> X.509. I believe an innocent reader will be confused when the whole
> section talks about privilege verifier and suddenly see relying party as
synonym.
>
> Regards,
>
> Erik
> -----Original Message-----
> From: x500standard-bounce@xxxxxxxxxxxxx
> [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Chadwick
> Sent: Tuesday, April 08, 2014 7:02 PM
> To: x500standard@xxxxxxxxxxxxx
> Subject: [x500standard] Re: relying party or privilege verifier
>
> Hi Erik
>
> they are the same entity, arent they? The privilege verifier is a
> component of the relying party
>
> regards
>
> David
>
>
> On 08/04/2014 15:45, Erik Andersen wrote:
>> The second to the last paragraph of clause 13 of X.509 says:
>>
>>
>>
>> In both deployment models, the SOA issues attributes/privileges to
>> subordinate AAs. The AAs then request the DS to issue a subset of
>> these privilege attributes to other holders. In the second deployment
>> model, the DS can check that an AA is delegating within the overall
>> scope set by the SOA; in the first deployment model, the DS cannot
>> check and the relying party will have to check that delegation was
> performed correctly.
>>
>>
>>
>> I assume that it should say "privilege verifier" instead of "relying
>> party". Right?
>>
>>
>>
>> Erik
>>
>>
>>
>>
>>
> -----
> www.x500standard.com: The central source for information on the X.500
> Directory Standard.
>
> -----
> www.x500standard.com: The central source for information on the X.500
Directory Standard.
>
>
-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
