Embed Size (px)
Citation preview
Attribute Certificate
By
Ganesh Godavari
Talk About
An Internet Attribute Certificate for Authorization -- RFC 3281
Motivation
• Understand Attribute Certificate
• How can they fit into information sharing
What are Attribute Certificates (AC)
• An AC contains no public key like PKC
• An AC can specify– Group Membership– Role– Security clearance– others
5
When should AC be used ?
• PKC may include life/long lasting attributes.– if the attribute doesn’t expire before the related PKC,
then the attribute may be included in the PKC.
• AC should be used for short lasting attributes:– if the attribute expires before the related PKC,
then the attribute should placed in an AC.
6
For which security services ACs may be used ?
ACs may be used in the context of• access control service when the identity is not the
criterion that is used for access control decisions, but rather when the role or group-membership of the accessors the criterion used. role-based access control
• non-repudiation or data origin authentication service. the attributes contained in the AC provide additional information about the signer. This information can be used to make sure that the signer is empowered to sign the data.
Digital Certificates
VersionVersion VersionVersion
Serial NumberSerial Number
Signature IDSignature ID
SubjectSubject
IssuerIssuer
Validity PeriodValidity Period
Subject Public Key Info
Subject Public Key Info
ExtensionsExtensions
Sig
natu
reS
ign
atu
re
Serial NumberSerial Number
Signature IDSignature ID
HolderHolder
IssuerIssuer
Validity PeriodValidity Period
AttributesAttributes
ExtensionsExtensions
Sig
natu
reS
ign
atu
re
No Public KeyAC binds permission
(attributes) to an entity
PKC binds a subject (DN) to
a public key
PKC is passport and AC is visa both are complementary
Public Key Certificate (PKC)Attribute Certificate (AC)
AC Distribution - “pull” vs. “push”
AC Issuer
Client
Repository
Server
Server Lookup
Client Lookup
Client Acquisition
Server Acquisition
AC “push”
( part of app. Protocol)
Work need to be done
• Currently looking into a sample AC so that I can write it in openssl
• Send out request to steve of openssl group
• Looking again for more information into the rfc
![[MS-PAC]: Privilege Attribute Certificate Data Structure...Privilege Attribute Certificate (PAC) was created to provide this authorization data for Kerberos Protocol Extensions [MS-KILE]](https://img.pdfslide.us/doc/110x75/5f0fef807e708231d4469f0b/ms-pac-privilege-attribute-certificate-data-structure-privilege-attribute.jpg)
![Microsoft · Web view[MS-PAC]: Privilege Attribute Certificate Data Structure. Intellectual Property Rights Notice for Open Specifications Documentation. Technical Documentation](https://img.pdfslide.us/doc/110x75/6091bde11f83df7f9d689238/microsoft-web-view-ms-pac-privilege-attribute-certificate-data-structure-intellectual.jpg)