- From: Manuel Gil Perez <manuel@dif.um.es>
- Date: Fri, 13 Oct 2006 11:52:13 +0200
- To: www-xkms@w3.org
- Cc: Michael Wilde <michael.wilde@yahoo.de>
Dear Michael, XKMS folks, X509v3 certificates cannot contain any privilege (in your case, a role name) belongs to an end identity. A X509v3 certificate only links statically a public key with a specific identity, not privileges. For fix this "problem", IETF-PKIX WG defined a new structure called "X.509 Attribute Certificate" (RFC 3281) to associate privileges to a specific identity. The section 4.4.5 of that RFC defines how define/include a role name. IMHO, my advise is that we/you should try to extend the current XKMS services to support this new kind of certificates, and so provide a new PKIX service (privileges) to the users. Cheers, -- Manuel Gil Perez UMU-PKIv6 (http://pki.inf.um.es) University of Murcia, SPAIN Michael Wilde wrote: > Hi, > > my research field is the extensibility of the XKMS 2.0 specification. > Basically I am searching for a possibility to integrate rolenames into > X509v3 certificates. > > These rolenames are represented as ordinary Strings and should be > integrated directly into the certificates during registration of a key > pair, such that it is possible to extract them after receiving the > certificate later from an XKMS service. > > During my research I stumbled over the following website [1]. One of the > topics there deals with the question: "X509 attributes, where to put > them in?". This would be exactly what I am looking for. The previously > mentioned rolenames could be integrated using attributes, but how can > this be done using an XKMS service? Is there any standardized way how to > do that yet? > > Best regards, > Michael.
Received on Monday, 16 October 2006 01:12:25 UTC