Mouse wrote: > I.e. for the sake of the argument identity > "Michael" may have an attribute "employee of Tenebras", and another > attribute "permitted access to dev repository A12".
Well, the Subject Distinguished Name should have the Organization, but I strongly disagree with you if you think access permissions belong anywhere in a cert.
The question of whether attribute certs are better or worse for authorization than e.g. flat files is similar to whether cert-based identity authentication is better or worse than e.g. LDAP-based one or flat files e.g. Unix /etc/passwd.
Attribute certs are a lousy way to encode security policy. You really only need signed assertions if the relying party has no trusted method of communication with the policy server (file/db/etc). Revocation is a pain, certificate status is a pain, and you've just multiplied your public key computation load by a factor of three of four. Much better to check whether the authenticated party has permission to do what's requested at the time of the request. Group membership is questionable -- the OU is certainly a kind of group, but for the purposes of access control a party may belong to many groups, and a robust policy might restrict access to certain hours during certain days of the week. If you seriously consider this, then the idea of putting access controls in certificates really looks absurd. - Michael ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]