Hi David,I am in favor or keeping as much as possible a clean separation between an AC and a PKC. So the two current definitions are appropriate and should not be changed, which means that
I do not support the proposal from David. I believe that Erik is right when for the following sentence: in the first deployment model, the DS cannot check and therelying party will have to check that delegation was he states: I assume that it should say "privilege verifier" instead of "relying party". Denis
Hi Erik the definitions from the standard are as follows privilege verifier: An entity verifying certificates against a privilege policy. relying party: A user or agent that relies on the data in a certificate in making decisions. It does not take too much inference to work out that a privilege verifier is a subtype of relying party. But we could add a clarifying sentence to the definition of privilege verifier to say "A type or component of a relying party". regards David On 09/04/2014 08:07, Erik Andersen wrote:Hi David, It is mostly a philosophical question whether privilege verifier is part of relying party. I do not believe it is stated anywhere in X.509. I believe an innocent reader will be confused when the whole section talks about privilege verifier and suddenly see relying party as synonym.Regards,Erik -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Chadwick Sent: Tuesday, April 08, 2014 7:02 PM To: x500standard@xxxxxxxxxxxxx Subject: [x500standard] Re: relying party or privilege verifier Hi Erik they are the same entity, arent they? The privilege verifier is a component of the relying party regards David On 08/04/2014 15:45, Erik Andersen wrote:The second to the last paragraph of clause 13 of X.509 says:In both deployment models, the SOA issues attributes/privileges to subordinate AAs. The AAs then request the DS to issue a subset of these privilege attributes to other holders. In the second deployment model, the DS can check that an AA is delegating within the overall scope set by the SOA; in the first deployment model, the DS cannot check and the relying party will have to check that delegation wasperformed correctly.I assume that it should say "privilege verifier" instead of "relying party". Right?Erik----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.----- www.x500standard.com: The central source for information on the X.500 Directory Standard.