[x500standard] Can anyone explain ... (signing of bind)?
- From: "Erik Andersen" <era@xxxxxxx>
- To: "Directory list" <x500standard@xxxxxxxxxxxxx>, "SG17-Q11" <t09sg17q11@xxxxxxxxxxxxx>
- Date: Sun, 17 Jul 2011 10:55:39 +0200
A lot of garbage was introduced in the third edition of the Directory
Specifications and we are still struggling with some of the stuff.
The following paragraph was introduces at the start of clause 8 or X.511 -
Bind operation.
"The arguments of the operation may be signed, encrypted, or signed and
encrypted (see clause 15.3 of ITU-T Rec. X.501 | ISO/IEC 9594-2) by the
requestor. If so requested, the Directory may sign, encrypt, or sign and
encrypt the results. (The bit on encryption was later removed)."
However, neither the bind argument nor the bind result specifies the
possibility for signing.
The third edition also introduce signing of bind errors. Does that make
sense? The requestor cannot ask for signing of bind error, as the
securityParameters are not included in the bind argument.
Now the very big question. Can anyone explain the following paragraph
introduced in the third edition of 8.1.2 Directory Bind arguments?
If the operation is to be signed and encrypted, an attribute certificate
containing the attribute certificate (See Clause 8.2 of ITU-T Rec. X.509 |
ISO/IEC 9594-8) may be used to convey the clearances required to access the
attribute. The attributeCertificationPath is used to convey a security
clearance for rule based access control, or other attribute, conveyed in an
Attribute Certificate, optionally with the certificates needed to validate
the Attribute Certificate.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
<http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik
Other related posts:
