- Authorization certificate
computer security, an authorization certificate (also known as an attribute certificate) is a digitaldocument that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. The permission can be delegated.
From RFC 3281 [cite paper|author=Farrell, S.; Housley, R|title=An Internet Attribute Certificate Profile or Authorization|version=RFC 3281] (PKC and AC refer to public key certificate and attribute certificate respectively):
Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a
passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.
A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as
Microsoft Smartphone(and related), Symbian OS, J2ME, and others.
In each of these systems a mobile communications
service providermay customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as "update firmware", "access address book", "use radio interface", and the most basic one, "install and execute". When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificatefrom an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vettingprocess, though often there are additional specific requirements imposed on would-be developers/publishers.
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher's identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral
asymmetric key-pairto sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors.
This solution prevents the service or resource
hostdn from having to use large access control lists. It is similar to the idea of capabilities: store the permission (or permissions) with a protected pointer to the object but not with the object itself.
Public key certificate
* [http://www.kamusm.gov.tr e-sign, e-imza, tr] also for English [http://www.kamusm.gov.tr/en/ Qualified electronic certificate]
* [http://theworld.com/~cme/html/spki.html SPKI/SDSI Certificate Documentation]
Wikimedia Foundation. 2010.