[x500standard] Re: relying party or privilege verifier

• From: DP-Security-Consulting <dp.sec.consulting@xxxxxxx>
• To: x500standard@xxxxxxxxxxxxx
• Date: Wed, 09 Apr 2014 18:10:02 +0200

Hi David,

I am in favor or keeping as much as possible a clean separation between an AC and a PKC. So the two current definitions are appropriate and should not be changed, which means that

I do not support the proposal from David.

I believe that Erik is right when for the following sentence:

in the first deployment model, the DS cannot
check and therelying party  will have to check that delegation was

he states:

   I assume that it should say "privilege verifier" instead of "relying
   party".

Denis

Hi Erik

the definitions from the standard are as follows

privilege verifier:  An entity verifying certificates against a
privilege policy.

relying party:  A user or agent that relies on the data in a certificate
in making decisions.

It does not take too much inference to work out that a privilege
verifier is a subtype of relying party. But we could add a clarifying
sentence to the definition of privilege verifier to say "A type or
component of a relying party".

regards

David

On 09/04/2014 08:07, Erik Andersen wrote:

Hi David,

It is mostly a philosophical question whether privilege verifier is part of
relying party. I do not believe it is stated anywhere in X.509. I believe an
innocent reader will be confused when the whole section talks about
privilege verifier and suddenly see relying party as  synonym.

Regards,

Erik
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Chadwick
Sent: Tuesday, April 08, 2014 7:02 PM
To: x500standard@xxxxxxxxxxxxx
Subject: [x500standard] Re: relying party or privilege verifier

Hi Erik

they are the same entity, arent they? The privilege verifier is a component
of the relying party

regards

David


On 08/04/2014 15:45, Erik Andersen wrote:

The second to the last paragraph of clause 13 of X.509 says:

In both deployment models, the SOA issues attributes/privileges to
subordinate AAs. The AAs then request the DS to issue a subset of
these privilege attributes to other holders. In the second deployment
model, the DS can check that an AA is delegating within the overall
scope set by the SOA; in the first deployment model, the DS cannot
check and the relying party will have to check that delegation was

performed correctly.

I assume that it should say "privilege verifier" instead of "relying
party". Right?

Erik

-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

• References:
  • [x500standard] relying party or privilege verifier
    • From: Erik Andersen
  • [x500standard] Re: relying party or privilege verifier
    • From: David Chadwick
  • [x500standard] Re: relying party or privilege verifier
    • From: Erik Andersen
  • [x500standard] Re: relying party or privilege verifier
    • From: David Chadwick

Other related posts:

• » [x500standard] relying party or privilege verifier- Erik Andersen
• » [x500standard] Re: relying party or privilege verifier- David Chadwick
• » [x500standard] Re: relying party or privilege verifier- Erik Andersen
• » [x500standard] Re: relying party or privilege verifier- David Chadwick
• » [x500standard] Re: relying party or privilege verifier- Erik Andersen
• » [x500standard] Re: relying party or privilege verifier - DP-Security-Consulting

1. Home
2. x500standard
3. Archive
4. 04-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---