- From: Phil Karlton <karlton@netscape.com>
- Date: Tue, 28 May 1996 03:00:30 -0700
- To: ietf-tls@w3.org
There has been very little mention of attribute certificates in this
forum, and support is needed in any new protocol.
Attribute certificates allow a third party (usually a form of
certificate authority) to assert that certain properties are true of
the owner of some authentication certificate. Often these properties
are some sort of authorization or indicate membership in some access
control list.
The same information could have been encoded in the original
certificate, but this may be undesirable for several reasons. First,
the authorization authority may not necessarily be the same authority
that issued the base certificate. Second, it is expected that attribute
certificates will have a shorter lifetime than authentication
certificates. (Attributes about people change more frequently than
their identities. :-) This may prevent CRLs from becoming unwieldy.
The intention for SSL 3.1 was to add an "attribute certificate request"
message as a possible handshake message. It would specify the list of
attribute-authority pairs required by the server. The client would
respond with an "attribute certificate" message that included the list
of relevant certificates.
PK
--
Philip L. Karlton karlton@netscape.com
Principal Curmudgeon http://home.netscape.com/people/karlton
Netscape Communications
They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety.
- Benjamin Franklin
Received on Tuesday, 28 May 1996 06:00:34 UTC