Authorisation versus Authentication (1)
People forget the difference between Authorisation and Authentication
- in this case “people” = “consultancies/vendors”
Simple application : user “logs in” to a web server an can execute a range of transactions according to their privilege
Solution 1: “Pure PKI”
- User issued a certificate
- Certificate has extensions which encode privilege (like an attribute certificate)
- Web server checks CRL (or OCSP responder) for validity
- Executes transaction if ok
- This tying of authentication and authorisation might be neat but when a user’s permission changes they need a new certificate
- The old certificate needs to be revoked