> For both the responses I got, it looks like the server need > to access the information (whether identity or attribute or > whatever) present in the certificate and use that to decide > the permissions for the peer that represented this certificate. > Is my understanding correct?
Partially so. An Attribute Certificate is a _separate_ certificate that becomes meaningful only when presented together with the identity cert. Its purpose is to be able to add and remove certified attributes to an identity cert, without having to re-issue the identity cert itself. > I also agree that this is authorization problem. I was just > trying to get information on whether certificate handling in > openssl restricts me from issuing certificates to a group > instead of individuals. I guees I know it now. The answer is - yes it does [restrict]. > Sounds good. Now, my server will be expecting a few specfic > attributes in the certificate presented by peer, in order to > regulate access to different services, right? That would be one way of doing it... In design you should balance the expense of the authorization process against convenience of its use. I.e. are you going to authorize users based on credentials vouched by a 3rd party? If not - then somehting like a local policy server is a more elegant and computationally cheaper solution. > So the question is > which APIs in openssl allow me to access this information in > the certificate? I'm afraid OpenSSL hasn't implemented Attribute Cert support yet. So the above discussion is moot from practical point of view. You'd need to search on the Net for one of a couple of OpenSSL enhancements that implement it (still in development stage), or use a policy server-based approach. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]