[LINK] Attribute Certs [was: Modern PKI]
Roger.Clarke at xamax.com.au
Mon Aug 16 15:03:06 AEST 2010
[For clarity: on the aspects that I know a bit about, Stephen and I
are mostly in furious agreement; and on the aspects I know less
about, I'm getting a lot of value from this thread.]
[This email is about one particular aspect.
The general notion of an Attribute Certificate involves an assurance
from a (hopefully, credible) entity that the entity that signs
messages using a particular private key has a particular attribute.
Examples of attributes for which this could be useful include
'currently over 18', 'pensioner of type X', 'tradesman' (e.g. to
qualify for trade discounts), 'health care professional of type X',
'JP' (e.g. for e-notarisation).
It's entirely feasible to place reliance on Attribute Certificates
that do not disclose the identity of the holder. Credentica / UProve
At 14:35 +1000 16/8/10, Stephen Wilson wrote:
>Roger mentioned Attribute Certificates. My view is these are very minor
>curiosities. The classical Attribute Certificate (AC) ... ACs failed
>because no general purpose identity certificate eventuated
I understand Stephen to be referring to the crippled X.509v3 scheme,
whereby a parent-cert could have child-certs, and child-certs could
include data about attributes of the identified individual.
If so, then I agree that they were/are minor curiosities.
But I certainly don't agree that the real concept of Attribute Certs
is a curiosity. If there were ever an effective PKI to support dig
certs, real attribute certs could become very important.
Subject to that clarification, I suspect Stephen and I may be in
furious agreement on this point too, but it isn't quite clear yet.
That's because Stephen continued:
>For those types of transactions that merit digital signatures (and not
>all do obviously) it turns out to be much more elegent to use a special
>purpose PK certificate embodying the authority information ('attribute')
>of interest, than it is to use an AC and a separate identity certificate.
Which leaves open the question as to whether the cert contains
attribute *and* identity data, or only anonymous attribute data.
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link