1st Annual PKI Research Workshop---Proceedings
نویسندگان
چکیده
The Canadian Department of National Defence (DND) is shifting its methods for the delegation and exercise of authority from paper-based to electronic-based means. DND has deployed a commercial PKI but there is no general technical solution presently employed by DND for access control or electronic authorization of workflow in distributed processing environments. The aim of this research is to show how an authorization system, or privilege management infrastructure (PMI), can be used to support business processes DND. The results are expected to be applicable to large enterprises in general. The research demonstrates how ITU-T standard X.509 can be used to support DND authority and delegation models. The investigation involves the analysis of the key authorizations within a specific DND problem domain. The X.509 standard and concepts from role-based access control form the basis of the PMI design. This involves the use of attribute certificates to control the specification and delegation of privileges. A novel interpretation of X.509 attribute certificates is proposed that provides separate hierarchies of responsibility for the management and delegation of roles. The results provide insight into, and quantification of, the complexity of the resulting delegation chains. The use of a roles based model for delegation is seen as being important to the scaling of PMI to service large enterprises with mature, complex authority structures. If the processing complexity can be managed, the flexibility of being able to model the actual privilege delegation paths in an organization is an advantage of a rolebased model.
منابع مشابه
1st Annual PKI Research Workshop---Proceedings
In [1], a scalable and small-bandwidth certificate validation scheme was presented. We call this system NOVOMODO, to emphasize the new way in which it approaches the field. In this paper, we recall the NOVOMODO technology and • Compare the efficiency and security of NOVOMODO and OCSP; and • Discuss how NOVOMODO may simplify PKI management in several applications (e.g., attribute certs). 1. Trad...
متن کامل1st Annual PKI Research Workshop---Proceedings
The fundamental goal of PKIs is to provide a means for participating entities to establish and manage trust in other entities, either within or across domain boundaries. As PKIs have evolved, so has the set of alternate methods supporting validation of entities, their certificates, and their keys. Validation processing determines whether or not the acceptance of a certificate or key represents ...
متن کامل1st Annual PKI Research Workshop---Proceedings
Recently there has been considerable interest among PKI vendors and researchers in the concept of password-enabled PKI. Several viable proposals and products have emerged. Fundamentally there are two distinct methods for using passwords with private keys. One method is to use the password to retrieve a private key, while the other uses the password as one component of the private key. We motiva...
متن کامل1st Annual PKI Research Workshop---Proceedings
This paper contrasts the use of an ID PKI (Public Key Infrastructure) with the use of delegatable, direct authorization. It first addresses some commonly held beliefs about an ID PKI – that you need a good ID certificate to use digital signatures, that the ID certificate should come from a CA that has especially good private key security, that use of the ID certificate allows you to know with w...
متن کامل1st Annual PKI Research Workshop---Proceedings
Tuple reduction is the basic mechanism used in SPKI to make authorisation decisions. A basic problem with the SPKI authorisation syntax is that straightforward implementations of tuple reduction are quadratic in both time and space. In the paper we introduce a restricted version of the SPKI authorisation syntax, which appears to conform well with practice, and for which authorisation decisions ...
متن کامل1st Annual PKI Research Workshop---Proceedings
Certificates carry signed statements within a PublicKey Infrastructure (PKI). As we begin to build more complex and more open PKIs, the limited expressiveness of current certificate languages becomes a concern. While certificates are traditionally treated as simple data structures conforming to a given schema, we show an alternative derivation of the concept of a certificate in which certificat...
متن کامل