Infraestructura de Certificación Electrónica de Atributos y Administración de Privilegios Delegables
Spanish Ministry of Science and Technology (TIC2003-08184-C02-01)
One of the first tasks in the project PRIVILEGE has been to study and put into perspective the delegation implications of standard schemes that have been proposed in the literature as solutions for distributed authorization problems. As such, we have realized that in PolicyMaker and Keynote schemes, the delegation statement does not exist; that is, any authorization statement can be delegated once and then again without any control. On the other hand, SDSI considers three different possibilities for controlling delegation, although SPKI reduced it to a Boolean condition. Such a Boolean parameter is only a modest mechanism to control the depth of delegation .
The project PRIVILEGE focuses on the use of X509 Attribute Certificates. Therefore, it includes a practical implementation of a Privilege Management Infrastructure (PMI). As part of our work, we have developed a mechanism to perform a controlled delegation that uses the extension fields of the attribute certificates. Our proposal is based on graphical solutions, attaching extra information to every edge in the graph. In particular, we include an index, a real number in the interval [0,1], that measures the level of confidence of the issuer on the issued certificate. We also add another Boolean variable, delegation, to define whether the certificate can be chained, ie delegated .
Moreover, we proposed a solution to enhance the X.509 attribute certificate in such a way that it becomes a conditionally anonymous attribute certificate. After that, we designed a protocol to obtain such certificates in a way that respects users' anonymity by using a fair blind signature scheme. We also show how to use such certificates and describe a few cases where problems could arise, identifying some open problems .
- "A Graphical Delegation Solution for X.509 Attribute Certificates",
ERCIM News, no. 63, ERCIM, pp. 33-34, October, 2005.
- "Delegation Perspective of Practical Authorization Schemes",
Fifth International Network Conference (INC’05), pp. 157-164, 2005.
- "A First Approach to Provide Anonymity in Attribute Certificates",
2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC’04), LNCS 2947, Springer, pp. 402-415, March, 2004.
This paper focus on two security services for internet applications:authorization and anonymity. Traditional authorization solutionsare not very helpful for many of the Internet applications; however,attribute certificates proposed by ITU-T seems to be well suited andprovide adequate solution. On the other hand, special attention is paidto the fact that many of the operations and transactions that are part ofInternet applications can be easily recorded and collected. Consequently,anonymity has become a desirable feature to be added in many cases. Inthis work we propose a solution to enhance the X.509 attribute certificatein such a way that it becomes a conditionally anonymous attributecertificate. Moreover, we present a protocol to obtain such certificatesin a way that respects users’ anonymity by using a fair blind signaturescheme. We also show how to use such certificates and describe a fewcases where problems could arise, identifying some open problems.