Last Call Review of draft-ietf-pkix-authorityclearanceconstraints-
review-ietf-pkix-authorityclearanceconstraints-secdir-lc-atkins-2009-08-18-00

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

   This document defines the syntax and semantics for the Clearance 
   attribute and the Authority Clearance Constraints extension in X.509 
   certificates.  The Clearance attribute is used to indicate the 
   clearance held by the subject.  The Clearance attribute may appear in 
   the subject directory attributes extension of a public key 
   certificate or in the attributes field of an attribute certificate.  
   The Authority Clearance Constraints certificate extension values in a 
   Trust Anchor (TA), CA public key certificates, and an Attribute 
   Authority (AA) public key certificate in a public key certification 
   path constrain the effective Clearance of the subject.   

As with all certificate attributes (in particular constraints), it's
always a question of when to use them and what to do when the
attribute doesn't exist.  In this case the mere presence of an
attribute could release classified information, but luckily this is
briefly mentioned in the Security Considerations section.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant