No, I didn't think of using Attribute Certificate not for "authentication" per se - but to ascertain certain properties of the authenticated entities. Your visa example is excellent - it illustrates my point very well.
As for who manages AC - that's a different question, because AT THIS TIME CA's are the only organizations that both have public trust to provide this service (certifying something about public keys) and have the necessary experience and position to do that. I'm thinking of industrial deployment - for that I believe we need some company & framework already established. I see no reason (besides possible unwillingness) who CA's would not want the extra business of certifying things other than "raw" indentities. Verification process isn't that different (if at all), and they are already verifying some attributes - so why not more. Thanks for PERMIS reference - I wasn't aware of it, will check. Regards, Uri > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dmitrij Mironov > Sent: Monday, August 07, 2006 01:44 > To: openssl-users@openssl.org > Subject: RE: extending a PKCS12 certificate > > IMHO Attribute Certificates (AC) must be issued not by CA's, > but by other institutions (if I remember correctly this is > stated in RFC3181). PKC (public key cert.) in this situation > is like passport and AC is like visa. > > If you are planning to use AC for authentification, then only > you must manage AC issuance and revocation process. So, you > need not a certificates from cert. providers, but AC > infrastructure solution. Give some attention to openPERMIS or > PERMIS projects, probably this helps. > > Regards, > > Dmitrij > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mouse > > Sent: Friday, August 04, 2006 5:10 PM > > To: openssl-users@openssl.org > > Subject: RE: extending a PKCS12 certificate > > > > It doesn't makes much sense to add attributes to certs if > values of > > those attributes can't be verified. Attribute Certificate seems the > > right way to go (thanks, Vijay!). > > > > The question is - do our "mainstream" CA's (such as VeriSign, > > etc.) support Attribute Certificate? > > > > Tnx! > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Sascha Kiefer > > > Sent: Friday, August 04, 2006 10:00 > > > To: openssl-users@openssl.org > > > Subject: RE: extending a PKCS12 certificate > > > > > > Hi Gerd, > > > > > > It will. But as Dmitrij already pointed out that there are > > Attribute > > > Certificates. > > > Those attributes are not part of the signed data, so they can be > > > change (but also by anybody). > > > > > > But inside a PKCS there are at least safe and for > internal use, it > > > might work. (But you do not want to send login information > > that maybe > > > stored in a public certificate send to the outside world, > so for my > > > understanding, it will no longer be a public certificate, > would it?) > > > > > > So long, > > > --sk > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Freitag, 4. August 2006 17:24 > > > To: openssl-users@openssl.org > > > Subject: RE: extending a PKCS12 certificate > > > > > > Hello Sascha, > > > > > > wouldn't this invalidate the digest and therefor the entire > > > certificate? > > > If changing the arbitrary data does not invalidate the > > certificate, it > > > must not be part of the digest, but then everybody would > be able to > > > change it. > > > > > > And just adding the arbitrary data to the PKCS12 file would > > not make > > > those data more trustworthy either. If this is possible at all. > > > > > > With kind regards > > > > > > Gerd > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Sascha Kiefer > > > > Sent: Friday, August 04, 2006 2:11 PM > > > > To: openssl-users@openssl.org > > > > Subject: RE: extending a PKCS12 certificate > > > > > > > > As far as i know, PKCS12 is just a combination of your > > > private key and > > > > the public certificate. So, it should be possible to > extract the > > > > certificate, make the changes and pack it together with > > the private > > > > key again. > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Theodore Olen > > > > Sent: Freitag, 4. August 2006 15:31 > > > > To: openssl-users@openssl.org > > > > Subject: extending a PKCS12 certificate > > > > > > > > Hello all, > > > > > > > > I would like to ask a question about PKCS12 certificates. > > > > > > > > Is it possible to extend a PKCS12 certificate with > > arbitral data? I > > > > would like to extend a given certificate with user data > > > (such as login > > > > and > > > > password) in such a way that the output certificate is > > > still a valid > > > > certificate. > > > > > > > > If so, can this be done with OpenSSL? How do I extract the > > > extensions? > > > > > > > > Thanks in advance. Kind regards, > > > > > > > > Theodore > > > > > > > > > _________________________________________________________________ > > > > Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ > > > > > > > > > > > > > > ______________________________________________________________________ > > > > OpenSSL Project > > > http://www.openssl.org > > > > User Support Mailing List > > > openssl-users@openssl.org > > > > Automated List Manager > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > ______________________________________________________________________ > > > > OpenSSL Project > > > http://www.openssl.org > > > > User Support Mailing List > > > openssl-users@openssl.org > > > > Automated List Manager > > > [EMAIL PROTECTED] > > > > > > > > > > ______________________________________________________________________ > > > OpenSSL Project > > http://www.openssl.org > > > User Support Mailing List > > openssl-users@openssl.org > > > Automated List Manager > > [EMAIL PROTECTED] > > > > > > > > > ______________________________________________________________________ > > > OpenSSL Project > > http://www.openssl.org > > > User Support Mailing List > > openssl-users@openssl.org > > > Automated List Manager > > > [EMAIL PROTECTED] > > > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > openssl-users@openssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
