| Previous | Table of Contents | Next |
The authorization_token field of the EstablishContext message of the Security Attribute Service context element is used to
carry a sequence (0 or more) of typed representations of authorization data. The AuthorizationElementType defines the contents
and encoding of the contents of the_element field.
The high order 20-bits of each AuthorizationElementType constant shall contain the Vendor Minor Codeset ID (VMCID) of the
organization that defined the element type. The low order 12 bits shall contain the organization-scoped element type identifier.
The high-order 20 bits of all element types defined by the OMG shall contain the VMCID allocated to the OMG (that is, 0x4F4D0).
Organizations must register their VMCIDs with the OMG before using them to define an AuthorizationElementType.
typedef unsigned long AuthorizationElementType;
typedef sequence <octet> AuthorizationElementContents;
struct AuthorizationElement { AuthorizationElementType the_type; AuthorizationElementContents the_element;
};
typedef sequence <AuthorizationElement> AuthorizationToken;
const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1;
This specification has defined one element encoding type, an X509AttributeCertChain. For this type, the field the_element
contains an encapsulation octet stream containing an ASN.1 type composed of an X.509 AttributeCertificate and a sequence of
0 or more X.509 Certificates. The corresponding ASN.1 definition appears below:
VerifyingCertChain ::= SEQUENCE OF Certificate
AttributeCertChain ::= SEQUENCE {attributeCert AttributeCertificate,certificateChain VerifyingCertChain,
}
The chain of identity certificates may be provided to certify the attribute certificate. Each certificate in the chain shall
directly certify the one preceding it. The first certificate in the chain shall certify the attribute certificate. The ASN.1
representation of Certificate shall be as defined in [IETF RFC 2459]. The ASN.1 representation of AttributeCertificate
shall be as defined in [IETF ID PKIXAC].
24.2.3.1 Extensions of the IETF AC Profile for CSIv2
The extensions field of the X.509 Attribute Certificates (AC) provides for the association of additional attributes with the
holder or subject of the AC.
Each extension includes an extnID (an object identifier), an extnValue (an octet string), and a critical field (a boolean).
The extnID identifies the extension, and the extnValue contains the value of the instance of the identified extension. The
critical field indicates whether a certificate-using system shall reject the certificate if it does not recognize the extension.
If the critical field is set to TRUE and the extension is not recognized (by its extnID), then the certificate shall be rejected.
A non-critical extension that is not recognized may be ignored.
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING
}
[IETF ID PKIXAC] defines a profile for ACs that defines a collection of extensions
that may be used in ACs that conform to the profile. An AC that includes any subset of these extensions conforms to the profile.
An AC that includes any other critical extension does not conform to the profile. An AC that includes any other non-critical
extension conforms to the profile.
The CSIv2 AC profile adds the Proxy Info extension to the collection of extensions defined by the IETF profile. This critical
extension may be used to define who may act
as proxy for the AC subject. Refer to [IETF ID PKIXAC] for the details of the format
and semantics of the Proxy Info extension.
A TSS shall reject a security context that contains an authorization element of type X509AttributeCertChain that contains
critical extensions or attributes not recognized by the TSS. In this case, the TSS shall return a ContextError service context
element containing major and minor error codes indicating the evidence is
invalid (that is, “Invalid evidence?) as defined in Section 24.3.5, “ContextError Values
and Exceptions,? on page 24-30.