On 2007.05.25 at 08:16:19 -0400, Mouse wrote: > I'm driving at Attribute Certificates. They are supposed to have shorter > life than identity certs, but still long enough to be usable.
I've seen project to add attribute certificates to OpenSSL. http://openpmi.sourceforge.net/ You can try to download patches from this project and adapt to use in yu environment. It seems that they have very preliminary version which must be cleaned up to work on all platforms OpenSSL supports. > The question of whether attribute certs are better or worse for > authorization than e.g. flat files is similar to whether cert-based identity > authentication is better or worse than e.g. LDAP-based one or flat files > e.g. Unix /etc/passwd. Typically requirements for authorization and authentication are very different. Authentication involve untrusted networks, passwords which can be stolen or forgotten etc. But once you trust authentication, decisions about authorization of authenticated users for certain operation are typically within your server system. But if there are RFCs for attribute certifications, TLS authorization extensions etc, there should be situation when cryptography-based authorization is needed. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]