From green(_at_)mojo(_dot_)ots(_dot_)utexas(_dot_)edu Wed Feb 24 20:00:17 1993
Date: Wed, 24 Feb 1993 12:35:07 -0600 (GMT-0600)
From: "William C. Green" <W(_dot_)Green(_at_)utexas(_dot_)edu>
Sender: "William C. Green"
<green(_at_)wowbagger(_dot_)cc(_dot_)utexas(_dot_)edu>
Subject: Re: PEM Test Service
To: Wolfgang Schneider <schneiw>
Mime-Version: 1.0
Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII>
Content-Length: 2746
On Wed, 24 Feb 93 15:51:52 +0100, Wolfgang Schneider wrote:
Subject: Re: PEM Test Service
To: epg(_at_)gateway(_dot_)mitre(_dot_)org
cc: pem-dev(_at_)TIS(_dot_)COM
In the case that certification is being used for authorization purposes,
i.e. when you derive capabilities, access rights or whatever from authen-
ticated DNs, that certification structure is too restrictive, in my view.
The Directory itself is a good example. If you access a DSA using strong
authentication, the DSA will grant or deny you access rights to the DIB
which he may derive from your authenticated DN, following an authorization
policy. It could also be part of the particular DSA authorization policy,
for instance, that your access rights are not derived from your name, but
from the name of the issuer of your certificate. I can imagine a lot of
applications where X.509-certification is being used to derive capabilities
not from your DN, but from the place where you are in the certification
tree.
I guess I'm a bit confused. In the case of a DSA, isn't it the access control
lists that determine what you can accomplish "authorization" ? The access
control lists have as a component distinguished names identifing who can
perform what operations. X.509 certification simply binds a DN
"authentication".
I had X.500-88 DSAs in mind where access control is a local, non-standardized
matter.
Wolfgang