Scroll Top


Infraestructura de Certificación Electrónica de Atributos y Administración de Privilegios Delegables

Project Overview: 

One of the first tasks in the project PRIVILEGE has been to study and put into perspective the delegation implications of standard schemes that have been proposed in the literature as solutions for distributed authorization problems. As such, we have realized that in PolicyMaker and Keynote schemes, the delegation statement does not exist; that is, any authorization statement can be delegated once and then again without any control. On the other hand, SDSI considers three different possibilities for controlling delegation, although SPKI reduced it to a Boolean condition. Such a Boolean parameter is only a modest mechanism to control the depth of delegation [1].

The project PRIVILEGE focuses on the use of X509 Attribute Certificates. Therefore, it includes a practical implementation of a Privilege Management Infrastructure (PMI). As part of our work, we have developed a mechanism to perform a controlled delegation that uses the extension fields of the attribute certificates. Our proposal is based on graphical solutions, attaching extra information to every edge in the graph. In particular, we include an index, a real number in the interval [0,1], that measures the level of confidence of the issuer on the issued certificate. We also add another Boolean variable, delegation, to define whether the certificate can be chained, ie delegated [2].

Moreover, we proposed a solution to enhance the X.509 attribute certificate in such a way that it becomes a conditionally anonymous attribute certificate. After that, we designed a protocol to obtain such certificates in a way that respects users’ anonymity by using a fair blind signature scheme. We also show how to use such certificates and describe a few cases where problems could arise, identifying some open problems [3].

  1. I. Agudo, J. Lopez, and J. A. Montenegro, A Graphical Delegation Solution for X.509 Attribute Certificates“, ERCIM News, no. 63, ERCIM, pp. 33-34, October, 2005.  
  2. I. Agudo, J. Lopez, J. A. Montenegro, E. Okamoto, and E. Dawson, Delegation Perspective of Practical Authorization Schemes“, Fifth International Network Conference (INC’05), pp. 157-164, 2005.   
  3. V. Benjumea, J. Lopez, J. A. Montenegro, and J. M. Troya, A First Approach to Provide Anonymity in Attribute Certificates“, 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC’04), LNCS 2947, Springer, pp. 402-415, March, 2004.