Last Call Review of draft-ietf-pkix-authorityclearanceconstraints-
review-ietf-pkix-authorityclearanceconstraints-secdir-lc-atkins-2009-08-18-00
| Request | Review of | draft-ietf-pkix-authorityclearanceconstraints |
|---|---|---|
| Requested revision | No specific revision (document currently at 03) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2009-08-14 | |
| Requested | 2009-08-03 | |
| Authors | Sean Turner , Dr. Santosh Chokhani | |
| Draft last updated | 2009-08-18 | |
| Completed reviews |
Secdir Last Call review of -??
by
Derek Atkins
|
|
| Assignment | Reviewer | Derek Atkins |
| State | Completed Snapshot | |
| Review |
review-ietf-pkix-authorityclearanceconstraints-secdir-lc-atkins-2009-08-18
|
|
| Completed | 2009-08-18 |
review-ietf-pkix-authorityclearanceconstraints-secdir-lc-atkins-2009-08-18-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This document defines the syntax and semantics for the Clearance
attribute and the Authority Clearance Constraints extension in X.509
certificates. The Clearance attribute is used to indicate the
clearance held by the subject. The Clearance attribute may appear in
the subject directory attributes extension of a public key
certificate or in the attributes field of an attribute certificate.
The Authority Clearance Constraints certificate extension values in a
Trust Anchor (TA), CA public key certificates, and an Attribute
Authority (AA) public key certificate in a public key certification
path constrain the effective Clearance of the subject.
As with all certificate attributes (in particular constraints), it's
always a question of when to use them and what to do when the
attribute doesn't exist. In this case the mere presence of an
attribute could release classified information, but luckily this is
briefly mentioned in the Security Considerations section.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant