103:
encrypted by the user's public key in the PKC. If the authentication is successful, the verifier will use the preinstalled public key of the AC issuer to check the validity of the presented AC. If the AC is valid, the verifier will check whether or not the PKC specified in the AC matches the presented PKC. If it matches, the verifier will check the validity period of the AC. If the AC is still valid, the verifier can perform additional checks before offering the user a particular level of service or resource usage in accordance to the attributes contained in the AC.
94:
his PKC and a chain of ACs starting from his own AC issued by Alice and then Alice's AC issued by the issuer that the service trusts. In this way, the service can verify that Alice has delegated her privilege to Bob and that Alice has been authorized to use the service by the issuer that controls the service. RFC 3281, however, does not recommend the use of AC chains because of the complexity in administering and processing the chain and there is little use of AC in the
Internet.
127:. In this example, the AC does not refer to the PKC of the developer as the holder but to the software, for example, by storing the developer's signature of the software in the holder field of the AC. When the software is put into the computing device, the device will verify the integrity of the software using the developer's PKC before checking the validity of the AC and granting the software access to the device functionalities.
130:
A user may also need to obtain several ACs from different issuers to use a particular service. For example, a company gives one of its employees a company-wide AC that specifies engineering department as the work area. To access engineering data, however, the employee also needs a security clearance
102:
To use a service or a resource that the issuer of an AC controls, a user presents both the PKC and the AC to a part of the service or resource that functions as an AC verifier. The verifier will first check the identity of the user using the PKC, for example, by asking the user to decrypt a message
93:
As with a PKC, an AC can be chained to delegate attributions. For example, an authorization certificate issued for Alice authorizes her to use a particular service. Alice can delegate this privilege to her assistant Bob by issuing an AC for Bob's PKC. When Bob wants to use the service, he presents
122:
of the PKC and sends the signed software to the device manufacturer for approval. After authenticating the developer using the PKC and reviewing the software, the manufacturer may decide to issue an AC granting the software the basic capability to install itself and be executed as well as an
67:. Because identity information seldom changes and has a long validity time while attribute information frequently changes or has a short validity time, separate certificates with different security rigours, validity times and issuers are necessary.
131:
AC from the head of the engineering department. In this example, the resource of engineering data needs to be preinstalled with the public keys of both the company-wide and the engineering department AC issuers.
79:
because an AC verifier is under the control of the AC issuer, and therefore, trusts the issuer directly by having the public key of the issuer preinstalled. This means that once the AC issuer's
118:
where software can only be run in the device after the software has been approved by the device manufacturer. The software developer signs the software with the
208:
in which the permission (or permissions) to use a service or resource is not stored in the service or resource itself but in the users using a
231:
63:, the authorization certificate is issued by an attribute authority (AA) and is used to characterize or entitle its holder like a
348:
36:
containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for the purpose of
226:
124:
205:
111:
200:
that can potentially be large or to always be connected to a network to access a central server like when using
236:
221:
107:
52:
303:
90:
The verification of an AC requires the presence of the PKC that is referred as the AC holder in the AC.
56:
278:
201:
197:
298:
Farrell, S.; Housley, R. "An
Internet Attribute Certificate Profile or Authorization". RFC 3281.
209:
17:
268:
33:
316:
64:
193:
342:
87:
and replaces the old public key in all verifiers under its control with the new one.
37:
48:. RFC 5755 further specifies the usage for authorization purpose in the Internet.
281:
262:
119:
80:
76:
333:
84:
60:
273:
45:
241:
115:
110:
wants to deploy its software in a computing device employing
59:(CA) and is used as a proof of identity of its holder like a
123:
additional capability to use the Wi-Fi device following the
51:
The authorization certificate works in conjunction with a
184:: the signature of the issuer over the whole data above.
178:: the attributes associated to the certificate holder.
192:
Using attribute certificate, the service or resource
106:
For example, a software developer that already has a
160:: the algorithm by which the certificate is signed.
71:
Comparison of attribute and public key certificates
166:: the unique issuance number given by the issuer.
83:is compromised, the issuer has to generate a new
8:
135:Contents of a typical attribute certificate
172:: the validity period of the certificate.
272:
253:
75:An AC resembles a PKC but contains no
312:
301:
264:Internet Security Glossary, Version 2
7:
55:(PKC). While the PKC is issued by a
334:SPKI/SDSI Certificate Documentation
232:Security Assertion Markup Language
142:: the version of the certificate.
14:
154:: the issuer of the certificate.
148:: the holder of the certificate.
204:. It is similar to the idea of
227:Attribute-based access control
1:
196:does not need to maintain an
125:principle of least privilege
365:
267:. Network Working Group.
261:R. Shirey (August 2007).
42:authorization certificate
26:authorization certificate
44:. AC is standardized in
349:Public-key cryptography
311:Cite journal requires
222:Public key certificate
53:public key certificate
57:certificate authority
22:attribute certificate
198:access control list
158:Signature algorithm
210:tamper resistance
18:computer security
356:
321:
320:
314:
309:
307:
299:
295:
289:
285:
276:
274:10.17487/RFC4949
258:
34:digital document
364:
363:
359:
358:
357:
355:
354:
353:
339:
338:
330:
325:
324:
310:
300:
297:
296:
292:
260:
259:
255:
250:
218:
190:
182:Signature value
170:Validity period
137:
100:
73:
40:, AC is called
12:
11:
5:
362:
360:
352:
351:
341:
340:
337:
336:
329:
328:External links
326:
323:
322:
313:|journal=
290:
287:Informational.
252:
251:
249:
246:
245:
244:
239:
234:
229:
224:
217:
214:
189:
186:
136:
133:
99:
96:
72:
69:
13:
10:
9:
6:
4:
3:
2:
361:
350:
347:
346:
344:
335:
332:
331:
327:
318:
305:
294:
291:
288:
283:
280:
275:
270:
266:
265:
257:
254:
247:
243:
240:
238:
235:
233:
230:
228:
225:
223:
220:
219:
215:
213:
211:
207:
203:
199:
195:
187:
185:
183:
179:
177:
173:
171:
167:
165:
164:Serial number
161:
159:
155:
153:
149:
147:
143:
141:
134:
132:
128:
126:
121:
117:
113:
109:
104:
97:
95:
91:
88:
86:
82:
78:
70:
68:
66:
62:
58:
54:
49:
47:
43:
39:
38:authorization
35:
31:
27:
23:
19:
304:cite journal
293:
286:
263:
256:
206:capabilities
191:
181:
180:
175:
174:
169:
168:
163:
162:
157:
156:
151:
150:
145:
144:
139:
138:
129:
105:
101:
92:
89:
74:
50:
41:
29:
25:
21:
15:
212:mechanism.
120:private key
81:private key
248:References
237:Shibboleth
176:Attributes
77:public key
343:Category
216:See also
202:Kerberos
188:Benefits
85:key pair
61:passport
140:Version
32:) is a
152:Issuer
146:Holder
24:, or
114:like
98:Usage
46:X.509
20:, an
317:help
282:4949
242:Voms
194:host
116:iPad
65:visa
279:RFC
269:doi
112:DRM
108:PKC
16:In
345::
308::
306:}}
302:{{
277:.
30:AC
319:)
315:(
284:.
271::
28:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.