On (03/05/06 20:29), Grant Thomas wrote: > When large buildings are keyed for locks, locks can be keyed for > different layers of security. > > So, there might be the highest key, or skeleton key's used in old > houses that opened all the doors, and multiple levels of sub keys, > down to a key that opens only one lock. > > I think I have a grasp on the basics of PKI as it relates to X.509 > certificates, but I'm wondering if there is a PKI implementation that > allows for multiple layers of access built into the keys themselves.
PKI is for authentication, not for access control. The certificates (the key being the secret that ties a certificate to an individual) merely provide a method by which one party can be confident about the identity of another party, usually by relying on a third party (or fourth, fifth...). In a slighty simplified view of X.509 each party has a certificate stating who they are, and they have a key that ties them to it. They then have a Certificate Authority sign this certificate after a process of verifying the information. They can then present this certificate to anybody, no matter whether they have ever had any contact with them before, and that person can verify the identity of the first person by checking the signature of the CA on the certificate. This then moves the trust from the person presenting the certificate to the CA. So within an organisation there may be a CA set up for internal use. This CA issues certificates for each member of staff, tying their identity to the certificate. When it becomes time for them to authenticate themselves to something, (e.g. the central database) they can present their certificate as authentication. The access control would come from the linkage between individuals and the things that they are allowed to do. So the access control on the database would first authenticate the user, and then allow them access depending on whether or not there as an entry in their access control database allowing them to. For a slightly different way of approaching this you may want to look at SPKI which ties the certificates to roles, meaning that merely possessing the certificate allows you to do something. http://world.std.com/~cme/html/spki.html The point I hope I have got across is that certificates are for authentication, it is what you choose to do with them that will give you the hierarchy. I hope I have been helpful, James -- James Westby [EMAIL PROTECTED] http://jameswestby.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
