| < draft-ietf-pkix-3281update-00.txt | draft-ietf-pkix-3281update-01.txt > | |||
|---|---|---|---|---|
| PKIX WG Stephen Farrell, Trinity College Dublin | IETF PKIX WG Stephen Farrell, Trinity College Dublin | |||
| Internet Draft Russ Housley, Vigil Security | Internet Draft Russ Housley, Vigil Security | |||
| Intended Status: Standards Track Sean Turner, IECA | Intended Status: Standards Track Sean Turner, IECA | |||
| Updates: 3281 (once approved) October 8, 2008 | Updates: 3281 (once approved) October 26, 2008 | |||
| Expires: April 8, 2009 | Expires: April 26, 2009 | |||
| An Internet Attribute Certificate Profile for Authorization: Update | An Internet Attribute Certificate Profile for Authorization: Update | |||
| draft-ietf-pkix-3281update-00.txt | draft-ietf-pkix-3281update-01.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on April 8, 2008. | This Internet-Draft will expire on April 26, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| This document updates RFC 3281. It incorporates verified errata. | This document updates RFC 3281. It incorporates verified errata. | |||
| Discussion | Discussion | |||
| skipping to change at page 3, line 43 ¶ | skipping to change at page 3, line 43 ¶ | |||
| NEW: | NEW: | |||
| Note: [X.509-2000] defines the extension syntax as a "SEQUENCE OF | Note: [X.509-2000] defines the extension syntax as a "SEQUENCE OF | |||
| Targets". Conforming AC issuer implementations MUST only produce one | Targets". Conforming AC issuer implementations MUST only produce one | |||
| "Targets" element. Conforming AC users MUST be able to accept a | "Targets" element. Conforming AC users MUST be able to accept a | |||
| "SEQUENCE OF Targets". If more than one Targets element is found in | "SEQUENCE OF Targets". If more than one Targets element is found in | |||
| an AC, the extension MUST be treated as if all Target elements had | an AC, the extension MUST be treated as if all Target elements had | |||
| been found within one Targets element. | been found within one Targets element. | |||
| 4. Changes to Section 4.6 | 4. Changes to Section 4.4.6 | |||
| Replace OLD1 text with NEW1 text. This change incorporates verified | Replace OLD1 text with NEW1 text. This change incorporates verified | |||
| technical errata #302. Replace OLD2 text with NEW2 text. This change | technical errata #302. Replace OLD2 text with NEW2 text. This change | |||
| incorporates reported technical errata #1479. | incorporates reported technical errata #1479. | |||
| NOTE for OLD1: The differences in tagging arose due to an unnoticed | NOTE for OLD1: The differences in tagging arose due to an unnoticed | |||
| technical corrigendum (TC-2) being applied to the X.501 [X.501-1997] | technical corrigendum (TC-2) being applied to the X.501 [X.501-1997] | |||
| document during preparation of [RFC3281]. The X.501 format is the | document during preparation of [RFC3281]. The X.501 format is the | |||
| correct form. Implementers SHOULD modify their decoding functions to | correct form. Implementers SHOULD modify their decoding functions to | |||
| accept either format and, even if claiming RFC 3281 conformance, | accept either format and, even if claiming RFC 3281 conformance, | |||
| SHOULD output the (correct) X.501 format. | SHOULD output the (correct) X.501 format. | |||
| NOTE for OLD2: The two changes 1) removing the IMPLICIT from the type | NOTE for OLD2: The two changes 1) removing the IMPLICIT from the type | |||
| line and 2) adding the EXPLICIT to the value line. Both changes are | line and 2) adding the EXPLICIT to the value line. Both changes are | |||
| for clarity, for alignment with X.501, and do not change the bits on | for clarity, for alignment with X.501, and do not change the bits on | |||
| the wire. With respect to 1) the module uses IMPLICIT tags therefore | the wire. With respect to 1) the module uses IMPLICIT tags therefore | |||
| the IMPLICIT in the type line is extraneous and is removed | the IMPLICIT in the type line is extraneous and is removed | |||
| 2) [0] ANY, [0] EXPLICIT ANY, and [0] IMPLICIT ANY all result in the | 2) [1] ANY, [1] EXPLICIT ANY, and [1] IMPLICIT ANY all result in the | |||
| same encoding therefore for alignment purposes with X.501:1997 the | same encoding therefore for alignment purposes with X.501:1997 the | |||
| EXPLICIT is added. | EXPLICIT is added. | |||
| OLD1: | OLD1: | |||
| Clearance ::= SEQUENCE { | Clearance ::= SEQUENCE { | |||
| policyId [0] OBJECT IDENTIFIER, | policyId [0] OBJECT IDENTIFIER, | |||
| classList [1] ClassList DEFAULT {unclassified}, | classList [1] ClassList DEFAULT {unclassified}, | |||
| securityCategories [2] SET OF SecurityCategory OPTIONAL | securityCategories [2] SET OF SecurityCategory OPTIONAL | |||
| } | } | |||
| skipping to change at page 5, line 18 ¶ | skipping to change at page 5, line 18 ¶ | |||
| reported technical errata #304. | reported technical errata #304. | |||
| OLD: | OLD: | |||
| The AC then contains the ciphertext inside its signed data. The | The AC then contains the ciphertext inside its signed data. The | |||
| EnvelopedData (id-envelopedData) ContentType is used, and the content | EnvelopedData (id-envelopedData) ContentType is used, and the content | |||
| field will contain the EnvelopedData type. | field will contain the EnvelopedData type. | |||
| NEW: | NEW: | |||
| Within EnvelopedData, the encapuslatedContentInfo identifies the | Within EnvelopedData, the encapsulatedContentInfo identifies the | |||
| content type carried withing the ciphertext. In this case, the | content type carried withing the ciphertext. In this case, the | |||
| contentType field of encapsulatedContentInfo MUST contain id-ct- | contentType field of encapsulatedContentInfo MUST contain id-ct- | |||
| attrCertEncAttrs, which has the following value: | attrCertEncAttrs, which has the following value: | |||
| attrCertEncAttrs OBJECT IDENTIFIER ::= { | attrCertEncAttrs OBJECT IDENTIFIER ::= { | |||
| iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| id-smime(16) id-ct(1) 14 } | id-smime(16) id-ct(1) 14 } | |||
| 6. Changes to Section 10 | 6. Changes to Section 10 | |||
| Replace the reference to X.501:1993 to X.501:1997. This change | Replace the reference to X.501:1993 to X.501:1997. This change | |||
| incorporates reported technical errata #1479. | incorporates reported technical errata #1479. | |||
| NOTE: Clearance was defined in X.501:1997 not X.501:1993. | NOTE: Clearance was defined in X.501:1993 not X.501:1997. | |||
| OLD: | OLD: | |||
| [X.501-1993] ITU-T Recommendation X.501 : Information Technology - | [X.501-1993] ITU-T Recommendation X.501 : Information Technology - | |||
| Open Systems Interconnection - The Directory: Models, | Open Systems Interconnection - The Directory: Models, | |||
| 1993. | 1993. | |||
| NEW: | NEW: | |||
| [X.501-1997] ITU-T Recommendation X.501 : Information Technology - | [X.501-1997] ITU-T Recommendation X.501 : Information Technology - | |||
| Open Systems Interconnection - The Directory: Models, | Open Systems Interconnection - The Directory: Models, | |||
| 1997. | 1997. | |||
| 7. Changes to Annex B | 7. Changes to Annex B | |||
| This module replaces the module in Annex B of [RFC3281]. It | This module replaces the module in Annex B of [RFC3281]. It | |||
| incorporates verified technical errata #302 and #1480 and verified | incorporates verified technical errata #302 and #1480 and verified | |||
| editorial errata #303. | editorial errata #303. | |||
| PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6) | PKIXAttributeCertificate-2008 { iso(1) identified-organization(3) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-attribute-cert2(TBA)} | id-mod-attribute-cert2(TBA) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| IMPORTS | IMPORTS | |||
| -- IMPORTed module OIDs MAY change if [PKIXPROF] changes | -- IMPORTed module OIDs MAY change if [PKIXPROF] changes | |||
| skipping to change at page 10, line 25 ¶ | skipping to change at page 10, line 25 ¶ | |||
| acSerial INTEGER, | acSerial INTEGER, | |||
| attrs SEQUENCE OF Attribute | attrs SEQUENCE OF Attribute | |||
| } | } | |||
| ProxyInfo ::= SEQUENCE OF Targets | ProxyInfo ::= SEQUENCE OF Targets | |||
| END | END | |||
| 8. Security Considerations | 8. Security Considerations | |||
| No new security considerations to those already noted in [RFC3281] | The security considerations in [RFC3281] apply. No new security | |||
| are added as a result of this document. | considerations are added as a result of this document. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| None. | This document makes extensive use of object identifiers to register | |||
| extensions and attributes. Most are registered in an arc delegated | ||||
| by IANA to the PKIX Working Group. Other are taken from ITU-T | ISO | ||||
| arc. Additionally, an object identifier is used to identify the | ||||
| ASN.1 module found in Section 7. No further action by IANA is | ||||
| necessary for this document or any anticipated updates. | ||||
| 10. References | 10. References | |||
| 10.1. Normative | 10.1. Normative | |||
| [PKIXPROF] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. | [PKIXPROF] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure | Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure | |||
| Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, | Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, | |||
| May 2008. | May 2008. | |||
| End of changes. 11 change blocks. | ||||
| 15 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||