Hi All,
I will not try to identify the purpose for the use of Attribute
Certificates in S/MIME, however I can see ACs being used to provide an
authorization service for Electronic Commerce using S/MIME as its transport
mechanism. Signing a S/MIME transaction only provides the identity of a
user, it does NOT prove necessarily that this user had the privilege to
authorized this transaction. Although public key certificates can provide
such an authorization service directly if privileges are associated with
this user through the practices of the issuing Certificate Authority, it
can be more appropriate to dissociate privilege from identity. In such
cases, the AC can be the means by which the user's privileges are
expressed. Based on this, ACs are than required to convey, with
authenticity, integrity and currency, the privileges associated with a
user, in order that Verifiers can enforce the appropriate Control Policy on
signed S/MIME transactions.
Here is where the old working document on ACs from the ISO/ITU Directory
Working Group can be found, which provides a generic model for ACs use and
another model for the delegation of privileges through new extensions
specifically meant for ACs.
ftp://ftp.bull.com/pub/OSIdirectory/Helsinki97Output/21DIR4.DOC
Note that an updated version of this working document should be available
on that same site within the next few weeks.
Francois Rousseau