Attribute Certificate (AC) Policies Extension
RFC 4476

Document Type RFC - Proposed Standard (May 2006; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4476 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Network Working Group                                         C. Francis
Request for Comments: 4476                                      Raytheon
Category: Standards Track                                      D. Pinkas
                                                                May 2006

             Attribute Certificate (AC) Policies Extension

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).


   This document describes one certificate extension that explicitly
   states the Attribute Certificate Policies (ACPs) that apply to a
   given Attribute Certificate (AC).  The goal of this document is to
   allow relying parties to perform an additional test when validating
   an AC, i.e., to assess whether a given AC carrying some attributes
   can be accepted on the basis of references to one or more specific

Francis & Pinkas            Standards Track                     [Page 1]
RFC 4476                 AC Policies Extension                  May 2006

1.  Introduction

   When issuing a Public Key Certificate (PKC), a Certificate Authority
   (CA) can perform various levels of verification with regard to the
   subject identity (see [RFC3280]).  A CA makes its verification
   procedures, as well as other operational rules it abides by,
   "visible" through a certificate policy, which may be referenced by a
   certificate policies extension in the PKC.

   The purpose of this document is to define an Attribute Certificate
   (AC) policies extension able to explicitly state the AC policies that
   apply to a given AC, but not the AC policies themselves.  Attribute
   Certificates are defined in [RFC3281].

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  AC Policies Extension Semantics

   An Attribute Certificate Policy is a named set of rules that
   indicates the applicability of an AC to a particular community and/or
   class of applications with common security requirements.  It defines
   rules for the generation, issuance, and revocation of ACs.  It may
   also include additional rules for attributes registration.

   Thus, note that an Attribute Authority (AA) does not necessarily
   support one single ACP.  However, for each AC that is delivered, the
   AA SHALL make sure that the policy applies to all the attributes that
   are contained in it.

   An ACP may be used by an AC user to decide whether or not to trust
   the attributes contained in an AC for a particular purpose.

   When an AC contains an AC policies extension, the extension MAY, at
   the option of the AA, be either critical or non-critical.

   The AC Policies extension MAY be included in an AC.  Like all X.509
   certificate extensions [X.509], the AC policies extension is defined
   using ASN.1 [ASN1].  See Appendix A.

   The definitions are presented in the 1988 Abstract Syntax Notation
   One (ASN.1) rather than the 1997 ASN.1 syntax used in the most recent
   ISO/IEC/ITU-T standards.

   The AC policies extension is identified by id-pe-acPolicies.

Francis & Pinkas            Standards Track                     [Page 2]
RFC 4476                 AC Policies Extension                  May 2006

      id-pe-acPolicies OBJECT IDENTIFIER ::= { iso(1)
        identified-organization(3) dod(6) internet(1) security(5)
        mechanisms(5) id-pkix(7) id-pe(1) 15 }

   The AC policies extension includes a list of AC policies recognized
   by the AA that apply to the attributes included in the AC.

   AC Policies may be defined by any organization with a need.  Object
   identifiers used to identify AC Policies are assigned in accordance
   with [X.660|ISO9834-1].

   The AC policies extension in an AC indicates the AC policies for
   which the AC is valid.

   An application that recognizes this extension and its content SHALL
   process the extension regardless of the value of the criticality

   If the extension is both flagged non-critical and not recognized by
   the AC-using application, then the application MAY ignore it.

   If the extension is marked critical or is recognized by the AC-using
   application, it indicates that the attributes contained in the
   attribute certificate SHALL only be used for the purpose, and in
   accordance with the rules associated with one of the indicated AC
   policies.  If none of the ACP identifiers is adequate for the
Show full document text