Report on Attribute Certificates By Ganesh Godavari

Dept CDept A Issuance of Attribute Certificates Central Applications Central Applications Central Applications Central Applications Department Applications Central Applications Department Applications Dept B External Company ACA Central ACA Local ACA Local ACA Local ACA Devolved User Central Applications

Issuance Central issuance - advantages –Suitable for small organizations Local issuance - advantages –Simplified user authentication –Simplified issuance procedures –Reduced administration overhead –Greater control –Simpler distribution

Distributing Attribute Certificates Pull Mirrors X.509 identity cert model -- certificates are written to directory (e.g. X.500) Applications requiring attribute certificates may “pull” them as required Push Users supply attribute certificate directly to application (similar to password model) No directory Attribute Certificate Server Attribute Certificate enabled Application Directory Publish Look up Given to user Submitted by user

Using Attribute Certificates CA RA CA Operator RA Operator Web Server Attribute Certificate Server User Manager Web Server Proxy Verifies AC Grants access Application Config Manager 1. Get X.509v3 Identity Certificate 2. Get Attribute Certificate 3. Use Identity cert for Authentication 4. Use Attribute Cert for access control Registration Authority (RA) is a person to whom the CA delegates the responsibility for the verification of identity of a person requesting a certificate.

Using Attribute Certificates Certificate (PKI) based authentication of user –SSL with client authentication –S/MIME with signature –Challenge response –Signed objects Check attribute certificate is linked to identity Check ACA is allowed Check ACA signature Extract attributes and use

Verifying Claimed Privilege Privilege Verifier Bill Alice Bob SOA AA Holder Root CA Signs Alice’s Public Key Bill’s Public Key Bob’s Public Key Issues AC to Issues AC to Issues Command to Checks delegation of privileges Checks all signatures Checks privilege is sufficient

Privilege Management Infrastructure The resource must have available to PMI –the root of trust of the PKI (public key of root CA) –the root of trust of the PMI (public key of Source of Authority or a valid PK certificate) –privilege policy (rules specifying privileges) –local variables e.g. time of day –access to revocation information and certificate chains

Certificate Management Authority Components of Certificate Management Authority System –Enrollment. You can apply for and obtain a certificate for yourself or for a server that you administer. –Renewal. You can renew a certificate that is about to expire or has already expired. –Revocation. If you are a system administrator, you can revoke a certificate so that it is no longer valid. –Retrieval. You can list all certificates that are available to you or to your server. Cert Requests Request CertificatesExpired certificates Revocation Information Issue Expire Revoke Publish CRL Audit Log

Conclusion on certificate management Cumbersome Tedious Who is root CA? What level of certificate chain validation must I go through?

Research areas How to define AC for a group? Certificate Management System simplification?

Questions ?

References Privilege Management in X.509(2000) presentation by David W Chadwick BSc PhD Attribute Certificates presentation by Spiro Alifrangis, Baltimore Technologies