Clearance Sponsor Attribute
draft-turner-clearancesponsor-attribute-03

Abstract 

   This document defines the clearance sponsor attribute.  This 
   attribute may be included in locations or protocols that support 
   X.500 attributes.

"Protocols"?

2. Clearance Sponsor 

   The clearance sponsor attribute indicates the sponsor of the 
   clearance of the subject with which this attribute is associated.  
   This attribute is only meaningful if the clearance attribute 
   [RFC3281bis] is also present.  The clearance sponsor attribute is a 
   DirectoryString [RFC5280], which MUST use the UTF8String CHOICE, 
   string with a minimum size of 1 characters and a maximum of 32 
   characters. 

Did you mean Unicode characters or octets?

3. Security Considerations 

   If this attribute is used as part of an authorization process, the 
   procedures employed by the entity that assigns each value

Did you mean clearance values?

   must ensure 
   that the correct value is applied.

1. I support Pasi's part of the DISCUSS about 32 lenght strings being too short for proper identification of organizations, and Jari's COMMENT about lack of definition of the term 'sponsor'. 

2. Same comment as with the other turner draft about the normative reference to superseded version of the X.680 Recommendation

Some of the same comments apply here as in the other draft-turner.

In addition, the document seems to lack a definition of a "sponsor".
When I followed the references I understood what was meant by
"clearance". But it is still unclear what a sponsor is. Is this an
entity that performed the clearance evaluation, or the entity that
paid for it?

Also, I support Cullen's comments on DirectoryString and its length.
My main issue with DirectoryString is that I have no idea what I should
be putting to the sponsor attribute. If I put in "NSA", will it help
me get through access controls at some place? :-)

I agree with both Cullen's and Pasi's discusses. This document is not clear on where it can really be used or what a receiver of the attribute really can do. If it is intended for machine use and point at location where information can be verified, then it should be a locator and with specified request mechanism. If it is for human consumption then it should say that and be clear that machines are not intended to act on the attribute.