|
In computer security, an attribute certificate, or authorization certificate (AC) is a digital document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for authorization purpose, AC is called authorization certificate. AC is standardized in X.509. RFC 5755 further specifies the usage for authorization purpose in the Internet. The authorization certificate works in conjunction with a public key certificate (PKC). While the PKC is issued by a certificate authority (CA) and is used as a proof of identity of its holder like a passport, the authorization certificate is issued by an attribute authority (AA) and is used to characterize or entitle its holder like a visa. Because identity information seldom changes and has a long validity time while attribute information frequently changes or has a short validity time, separate certificates with different security rigours, validity times and issuers are necessary. ==Comparison of attribute and public key certificates== An AC resembles a PKC but contains no public key because an AC verifier is under the control of the AC issuer, and therefore, trusts the issuer directly by having the public key of the issuer preinstalled. This means that once the AC issuer's private key is compromised, the issuer has to generate a new key pair and replaces the old public key in all verifiers under its control with the new one. The verification of an AC requires the presence of the PKC that is referred as the AC holder in the AC. As with a PKC, an AC can be chained to delegate attributions. For example, an authorization certificate issued for Alice authorizes her to use a particular service. Alice can delegate this privilege to her assistant Bob by issuing an AC for Bob's PKC. When Bob wants to use the service, he presents his PKC and a chain of ACs starting from his own AC issued by Alice and then Alice's AC issued by the issuer that the service trusts. In this way, the service can verify that Alice has delegated her privilege to Bob and that Alice has been authorized to use the service by the issuer that controls the service. RFC 3281, however, does not recommend the use of AC chains because of the complexity in administering and processing the chain and there is little use of AC in the Internet. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Authorization certificate」の詳細全文を読む スポンサード リンク
|