> > ... is it necessary to > > issue ONE certificate to EACH individual. > > Yes. The problem of granting access based on membership in a > group is an authorization problem.
Correct. > This doesn't have > anything to do with certificates -- permissions and roles > change independently of binding of key to identity. LDAP, > flat files, /etc/group, etc. Mostly correct. Often is convenient to have not only identity - but also "attributes" of it certified. I.e. for the sake of the argument identity "Michael" may have an attribute "employee of Tenebras", and another attribute "permitted access to dev repository A12". I'm driving at Attribute Certificates. They are supposed to have shorter life than identity certs, but still long enough to be usable. > You could have a hierarchy, with a subordinate CA for each > role or group, if you want to manage it that way. I wouldn't. He would have to have attribute CA's for each attribute - not necessarily for each value of the attribute. I.e. an attribute CA "Personnel Department" could issue attribute certificates "employed in position X", " granted access to resource Y"... The question of whether attribute certs are better or worse for authorization than e.g. flat files is similar to whether cert-based identity authentication is better or worse than e.g. LDAP-based one or flat files e.g. Unix /etc/passwd. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]