User Guide: IntroductionThis page is a short introduction about PMI, RBAC, X.509 and Permis. For the meaning of the used terms and abbreviations please visit our Glossary. Five Minute IntroductionPKI and PMIThe primary purpose of a Public Key Infrastructure (PKI) is to strongly authenticate parties communicating with each other. But authentication on its own is not enough. As well as knowing who a remote party is, one also needs to know what action the remote party is authorised to undertake. Thus we also need an authorisation mechanism. Such mechanism is called Privilege Management Infrastructure (PMI). A PMI provides the authorisation function after the authentication function has taken place and has a number of similarities with a PKI. The X.509 PMI StandardThe primary data structure in a PMI is an X.509 Attribute Certificate (AC). This strongly binds a set of attributes to its holder, and these attributes are used to describe the various privileges that the issuer has granted to the holder. The issuer is called an Attribute Authority (AA) since it is the authoritative provider of the attributes given to the holder. Examples of attributes and issuers might be: a degree awarded by a university, an ISO 9000 certificate issued by a QA compliance organisation, the role of supervisor issued by a manager, file access permissions issued by a file's owner. The AA digitally signs the whole data construct ensuring data integrity and authenticity of the subject-attribute bindings. Why RBAC?The X.509 PMI standard does not favour any particular authorisation scheme. Discretionary, Mandatory and Role Based Access Control (DAC, MAC and RBAC) schemes can all be supported. RBAC has the advantage that it can significantly simplify the management of access controls for large numbers of users, since the permissions are allocated to roles rather than to individual users. PermisWhy is the Permis Framework necessary?Whilst X.509 specifies
it does not specify
These missing features are implemented by Permis. The Permis Implementation of a X.509/RBAC Authorisation SchemeThe implementation of X.509/RBAC Authorisation Scheme with Permis consists of the following:
The authorization process is straightforward: ![]() ReferencesImplementing Role Based Access Controls Using X.509 Attribute Certificates by David W. Chadwick, Alexander Otenko, Edward Ball, IS Institute, University of Salford |