9
Attribute Certificate By Ganesh Godavari

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

Embed Size (px)

Citation preview

Page 1: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

Attribute Certificate

By

Ganesh Godavari

Page 2: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

Talk About

An Internet Attribute Certificate for Authorization -- RFC 3281

Page 3: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

Motivation

• Understand Attribute Certificate

• How can they fit into information sharing

Page 4: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

What are Attribute Certificates (AC)

• An AC contains no public key like PKC

• An AC can specify– Group Membership– Role– Security clearance– others

Page 5: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

5

When should AC be used ?

• PKC may include life/long lasting attributes.– if the attribute doesn’t expire before the related PKC,

then the attribute may be included in the PKC.

• AC should be used for short lasting attributes:– if the attribute expires before the related PKC,

then the attribute should placed in an AC.

Page 6: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

6

For which security services ACs may be used ?

ACs may be used in the context of• access control service when the identity is not the

criterion that is used for access control decisions, but rather when the role or group-membership of the accessors the criterion used. role-based access control

• non-repudiation or data origin authentication service. the attributes contained in the AC provide additional information about the signer. This information can be used to make sure that the signer is empowered to sign the data.

Page 7: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

Digital Certificates

VersionVersion VersionVersion

Serial NumberSerial Number

Signature IDSignature ID

SubjectSubject

IssuerIssuer

Validity PeriodValidity Period

Subject Public Key Info

Subject Public Key Info

ExtensionsExtensions

Sig

natu

reS

ign

atu

re

Serial NumberSerial Number

Signature IDSignature ID

HolderHolder

IssuerIssuer

Validity PeriodValidity Period

AttributesAttributes

ExtensionsExtensions

Sig

natu

reS

ign

atu

re

No Public KeyAC binds permission

(attributes) to an entity

PKC binds a subject (DN) to

a public key

PKC is passport and AC is visa both are complementary

Public Key Certificate (PKC)Attribute Certificate (AC)

Page 8: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

AC Distribution - “pull” vs. “push”

AC Issuer

Client

Repository

Server

Server Lookup

Client Lookup

Client Acquisition

Server Acquisition

AC “push”

( part of app. Protocol)

Page 9: Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281

Work need to be done

• Currently looking into a sample AC so that I can write it in openssl

• Send out request to steve of openssl group

• Looking again for more information into the rfc