Hi Dirk:
Dirk Reske wrote:
Patrick Patterson schrieb:
Second,
it's just plain bad PKI to put attributes in Identity Certificates.
What do you mean with this?
Well, to quote IETF RFC3281 (which has to do with Attribute Certificates):
"Some people constantly confuse PKCs and ACs. An analogy may make the
distinction clear. A PKC can be considered to be like a passport: it
identifies the holder, tends to last for a long time, and should not
be trivial to obtain. An AC is more like an entry visa: it is
typically issued by a different authority and does not last for as
long a time. As acquiring an entry visa typically requires
presenting a passport, getting a visa can be a simpler process.
Authorization information may be placed in a PKC extension or placed
in a separate attribute certificate (AC). The placement of
authorization information in PKCs is usually undesirable for two
reasons. First, authorization information often does not have the
same lifetime as the binding of the identity and the public key. When
authorization information is placed in a PKC extension, the general
result is the shortening of the PKC useful lifetime. Second, the PKC
issuer is not usually authoritative for the authorization
information. This results in additional steps for the PKC issuer to
obtain authorization information from the authoritative source.
For these reasons, it is often better to separate authorization
information from the PKC. Yet, authorization information also needs
to be bound to an identity. An AC provides this binding; it is
simply a digitally signed (or certified) identity and set of
attributes. "
(where PKC is a public key certificate (i.e.: Identity Certificate) and
AC is an attribute Certificate).
Now - the problem with implementing ACs, is that there are VERY few
systems out there that implement them correctly, or at all - unless you
are in a position to control everything about your environment (i.e.:
Military or Intelligence agency), then ACs probably won't work in your
environment.
So, to achieve the separation of Attributes and Identity, as I said in
my other mail, you should probably look at a technology that was
conceived for the express purpose of transmitting attributes about a
security principle around - i.e. Identity Federation :)
Have fun.
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.com
Thanks, but we only want to add extra identity informations. No
Authorization stuff.