Certificate Holder — the entity that is provided a certificate of insurance as evidence of the insurance maintained by another entity. In standard certificate forms, the certificate holder is usually listed in the space provided for that purpose. In computer security, an attribute certificate, or authorization certificate (AC) is a digital document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for the purpose of authorization, AC is called authorization certificate. AC is standardized in X.509. RFC 5755 further specifies the usage for authorization purpose in the Internet. Approval certificates work in conjunction with public key certificates (PKCs).
The PKC is issued by a Certificate Authority (CA) and is used as proof of the owner's identity like a passport, while the authorization certificate is issued by the Attribute Authority (AA) and features the owner like a visa. Used to attach or approve. Identity information does not change often and has a long validity period, so attribute information changes frequently or has a short validity period, requiring separate certificates with different security requirements, validity periods, and issuers.
AC is similar to PKC, but it does not include the public key because the AC verifier is under the control of the AC issuer and trusts the issuer directly by pre-sharing the issuer's public key. This means that if the AC issuer's private key is compromised, the issuer will have to generate a new key pair and replace the old public key with a new one for all verifiers under its control. To do. AC verification requires the presence of a PKC called an AC holder in AC. Like PKC, AC can be chained with delegated attributes. For example, her certificate issued to Alice qualifies her to use certain services. Alice can delegate this privilege to her assistant Bob by issuing an AC to her Bob's PKC.
If Bob wants to use the service, he presents his PKC and AC chain. First it is your AC issued by Alice, then Alice's AC issued by a publisher trusted by the service. In this way, the service can verify that Alice has delegated her privileges to Bob and that Alice has been granted use of the service by the publisher who controls the service. However, RFC 3281 does not recommend the use of AC chains due to the complexity of managing and processing the AC chains and the fact that AC is rarely used on the Internet. Read more...