This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 added 28 lines
!!! Overview[1]
[{$pagename}] ([PMI]) is the infrastructure for [Privilege Management] which is the [Access Control Model] for [Authorization] based on the [ITU-T] Recommendation [X.509].
[{$pagename}] is to [Authorization] what [Public Key Infrastructure] (PKI) is to [Authentication].
[PMIs] use [Attribute Certificates] ([ACs]) to hold user [privileges], in the form of [attributes], instead of [Public Key] [certificates] (PKCs) to hold [Public Keys].
[{$pagename}] have [Sources of Authority] ([SoAs]) and [Attribute Authority] ([AA]s) that issue ACs to users, instead of Certification Authorities ([CAs]) that issue PKCs to users. Usually [PMIs] rely on an underlying [PKI], since ACs have to be [digitally signed|Digital Signature] by the issuing AA, and the [PKI] is used to validate the AA's signature.
[{$pagename}] ([PMI]) is the infrastructure for [Privilege Management] is the process of managing user [authorisations|Authorization] based on the [ITU-T] Recommendation [X.509].
The [2001|Year 2001] edition of [X.509] specifies most (but not all) of the components of a [{$pagename}] ([PMI]), based on [X.509] [Attribute Certificates] (ACs). Later editions of [X.509] (2005 and 2009) have added further components to the PMI, including a [delegation] service (in 2005 [2]) and interdomain [authorisations|Authorization] (in the [2009|Year 2009] edition).
[{$pagename}] ([PMIs]) are to [authorisations|Authorization] what [Public Key Infrastructures] ([PKIs]) are to [authentication]. [PMIs] use [attribute] [certificates] (ACs) to hold user [privileges], in the form of attributes, instead of [Public Key] [certificates] (PKCs) to hold public keys. [PMIs] have Sources of Authority ([SoAs]) and Attribute Authorities (AAs) that issue ACs to users, instead of Certification Authorities (CAs) that issue PKCs to users. Usually [PMIs] rely on an underlying [PKI], since [Attribute Certificates] have to be [digitally signed|Digital Signature] by the issuing AA, and the [PKI] is used to validate the AA's signature.
An [X.509] [Attribute Certificate] is a generalisation of the well known [X.509] public key certificate (PKC), in which the public key of the PKC has been replaced by any set of attributes of the certificate holder (or subject). Therefore, one could in theory use X.509 ACs to hold a user's public key as well as any other attribute of the user. (In a similar vein, X.509 PKCs can also be used to hold privilege attributes of the subject, by adding them to the subject directory attributes extension of an X.509 PKC). However, the life cycle of public keys and user privileges are usually very different, and therefore it isn't usually a good idea to combine both of them in the same certificate. Similarly, the authority that assigns a privilege to someone is usually different from the authority that certifies someone's public key. Therefore, it isn't usually a good idea to combine the functions of the SoA/AA and the CA in the same trusted authority. PMIs allow privileges and authorisations to be managed separately from keys and [authentication].
The first open source implementation of an [X.509] was built with funding under the EC PERMIS project, and the software is available from here. A description of the implementation can be found in.[4][5]
[X.509] [Attribute Certificates] and PMIs are used today in Grids (see Grid computing), to assign privileges to users, and to carry the privileges around the Grid. In the most popular Grid privilege management system today, called VOMS,[6] user privileges, in the shape of VO memberships and roles, are placed inside an X.509 AC by the VOMS server, signed by the VOMS server, and then embedded in the user's X.509 proxy certificate for carrying around the Grid.
Because of the rise in popularity of [XML] [SOAP] based services, [SAML] attribute assertions are now more popular than X.509 [Attribute Certificates] for transporting user attributes. However, they both have similar functionality, which is to strongly bind a set of [privilege] [attributes] to a [entity].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Privilege_Management_Infrastructure|Wikipedia:Privilege_Management_Infrastructure|target='_blank'] - based on information obtained 2016-08-08-