thankyou for saying that introducing a trust broker to act on behalf of an RP is a profound change in scope. You now recognise the significant deficiency in the old closed X.509 model
regards David On 14/10/2013 13:05, Tony Rutkowski wrote:
This revised summary clearly reflects a profound change in scope and concept by introducing and defining a "trust broker," as well as moving away from X.509's relatively narrow purpose by your eliminating the sentence "these frameworks may be used by other standards bodies to profile their application to Public Key Infrastructures (PKI) and Privilege Management Infrastructures (PMI)." Who is seeking these changes? Who made the decision? --tony On 10/14/2013 6:14 AM, Erik Andersen wrote:Hi folks, It has been decide to make X.509 a pure PKI/PMI specification moving pure directory stuff to other parts (X.511 and X.520). That includes Password Policy. This requires the Summary to be updated. The old Summary is: Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines a framework for public-key certificates and attribute certificates. These frameworks may be used by other standards bodies to profile their application to Public Key Infrastructures (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation | International Standard defines a framework for the provision of authentication services by Directory to its users. It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed using cryptographic techniques. While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services. A first draft for a new summary is proposed here: Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines frameworks for public-key infrastructure (PKI) and privilege management infrastructure (PMI). It introduces the basic concept of asymmetric cryptographic techniques. It specifies the following data types: public-key certificate, attribute certificate, certificate revocation list (CRL) and attribute certificate revocation list (ACRL). It also defines several certificate and CRL extensions, and it defines directory schema information allowing PKI and PMI related data to be stored in a directory. In addition, it defines PKI entity types, such as certification authority (CA), attribute authority (AA), relying party, trust broker and trust anchor. It specifies the principles for certificate validation, validation path, certificate policy, etc. Please comment. Any suggestion is welcome. Regards, Erik
----- www.x500standard.com: The central source for information on the X.500 Directory Standard.