Re: XKMS and X509v3 attributes, where to put them in?

Hi Michael,

Michael Wilde wrote:
> Hi,
> 
> my research field is the extensibility of the XKMS 2.0 specification. 
> Basically I am searching for a possibility to integrate rolenames into 
> X509v3 certificates.

Check out how roles are handled in X.509 attribute certs - the same
applies to public key certs (and has nothing to do with xkms of
course). You may have to go back to X.509 or maybe an ansi document
to get that since the IETF profiles don't say anything much about
roles.

> 
> These rolenames are represented as ordinary Strings and should be 
> integrated directly into the certificates during registration of a key 
> pair, such that it is possible to extract them after receiving the 
> certificate later from an XKMS service.
> 
> During my research I stumbled over the following website [1]. 

Missing reference?

 > One of the
> topics there deals with the question: "X509 attributes, where to put 
> them in?". This would be exactly what I am looking for. The previously 
> mentioned rolenames could be integrated using attributes, but how can 
> this be done using an XKMS service? Is there any standardized way how to 
> do that yet?

Yes, there're at least two options:

- You could use the ds:KeyName or define a new ds:KeyInfo which might
make sense if the rolename & key are tightly bound
- You could use a UseKeyWith value, probably in the Identifier attribute

Hope that helps,
Stephen.

Received on Friday, 13 October 2006 14:08:11 UTC