Bob Jueneman wrote: > This is join to sound like heresy, but has anyone defined an > OID tag for XACML, so that an XACML string could be included > in a X.509 certificate? ... > Toolkits which would provide enterprises to issue their own > certificates have so far failed to take off to any > significant degree ... > One of the reasons, I believe, is that the neither the public > TTPs nor the toolkit vendors have so far adequately addressed > the important issue of providing a cross-enterprise Privilege > Management Infrastructure solution. And now that they are > feeling a very significant financial pinch, they may not have > the wherewithal to solve that problem. Perhaps you are simply looking for an OID to put arbitrary XML in a cert, so this response will be overkill, but I believe your message implies a lack of understanding of the XML security work currently going on at OASIS (SAML and XACML) XACML is defining the means to express Access Control Policies. I don't really see what the semantics of an access control policy in the middle of a cert would be. Perhaps you are thinking of SAML. SAML has Attribute Assertions which are almost like Attribute Certs. Also it has Authentication Assertions which seem mostly useful in non-PKI environment. Finally there are Authorization Decision Assertions, which are likely to be quite specific to a resource and short lived. Again it is not clear what putting one in a cert would signify exactly. Of course all can be signed using XMLdsig and thus be consumers of PKIX mechanisms. But I am unclear what sort of a use case you have in mind. > Maybe it's just the religion of the week (XML) creating an > evangelistic fervor, but that's where the buzz seems to be > these days. And I'd rather drop some XACML into an X.509 > certificate and make use of the existing tools, rather than > create everything from scratch. And yes, if X.509 attribute > certificates had been better thought out and/or more widely > implemented, maybe this wouldn't be necessary. And if pigs > could whistle and cows could fly, then the world would be a > much different place. If you believe X.509 Attribute Certs are broken (as opposed to unused) I would like to hear why, since SAML Attribute Assertions are very similar. On the other hand, SAML has a lot of other machinery, so perhaps we have already addressed your concerns. I understand the buzz concern, but there is actually very little overlap between the functional capabilities of PKIX and the OASIS security work. > Anyway, does anyone have such an OID and a suggested way to > use it? If not, I guess I'll explore rolling my own, unless > someone else wants to join in the fun. Before you design something, I suggest you propose a usecase or some requirements or something. Regards, Hal