Authorisation versus Authentication (2)

• Problem is, changing a users privilege should not change their identity

• Solution 2 : “Real world PKI”

  • User issued a certificate that confers identity (context) only
  • Web server authenticates user and checks CRL (or OCSP responder) only if open loop and the CPS dictates this
  • Takes identity and checks an authorisation server
  • Executes transaction if ok
  • Change of privilege is instantaneous and guaranteed synchronous
  • Removal of user is instantaneous

• Future

  • The direction of OCSP responders integrated with commercial privilege brokers based around LDAP accessible repositories may change this

Previous slide

Next slide

Back to first slide

View graphic version