In this lesson we discuss PMI, Privilege Management Infrastructure, for managing the authorizations or privileges within a system. We use attributes certificate, as an instrument to associate access right to the resources and service in the system through the identity or the rules of the intended use of the system. We use attributes certificate as an instrument to associate access right of the resources and service in assistant to identities or roles of intended user of the system. We compare the difference between the PKI, the Public Key Infrastructure, which is a focus of the identity management with the PMI, which is a focus of management or privileges authorized for the users. We discussed the different usage for access control of the system. According to the definition specify in NIST Special Publication, 800-152. Authorization is defined to include the access privilege that is granted to a system entity to access a system resources. It also refers to the process of verifying that a requested action or service is approved for a given specific entity. Authorization is different from authentication which is the process to verify identity of a specific entity. For example, identify a person is indeed who he said he is. In simple term, authentication is verify a person is who they came to be. A person is required to prove who they are by presenting certain proof. To gain access such as; passport, driving license, and in computer terms, such as; password or digital certificates. Authorization deal with what you are permitted to do. Once you are authenticated, it can be explicitly by requiring someone to present an authorization document such as attributes certificate, or it can be implicitly by the access of control system use identity established during the authentication process. Then, we can query the authorization database to retrieve the authorization of the entity. Here, we show step one of the PMI certificate requests and signing requests. The user fill in the attributes certificate signing requests called ACSR, which include: thermal feel of the certificate, such as an issuer field, validity period that suggests to a hashing and asymmetric algorithm for Attributes Certificate Authority to sign the certificate. Also, the fill-in that unique field, here which is the holder the person to be authorized and user attributes a set of permission or policy given to this user. The ACSR is written in a [inaudible] standard format. The user send ACSR to the Attribute Certificate Authority. Consider Attributes Certificate Authority as an entity who signed the attribute certificate. With some software or hardware, typically it is the person in charge of the system or the task force. Here, we show step two of PMI certificate request and signing process. On receiving attributes certificate signing requests. The Attributes Certificate Authority verifies the holder identity and then decide the authorization given to the holder, encoding them into the attribute field. Then, use his own choice of hashing and asymmetric algorithm to sign their attributes certificate. The Attributes Certificate Authority saves a copy of the sign attributes certificate in attribute certificate directory for attribute-based access control to retrieve and return a copy back to the users. Unlike PKI, the user cannot send in revocation requests to change the attribute certificate. Normally, it is the attributes authority's job to update and re-work the attribute certificates. Here, we show step three, of PMI attribute-based access control. Once receiving the attributes certificate, the user can submit a request to the holder identity, and all the attributes certificate. The Attribute Based Access Control System and then authenticate the users, send a query to its attribute directory server. Typically, we are using all types of server with established identity to query the attribute associated with identity. Based on the return attribute, which contain the permission and authorization list, the Attribute Based Access Control evaluate user to grant or reject the user's request. The Attribute Certificate Authority can update and revoke the attributes certificate by sending in request to the Attribute Certificate Directory Server. The ABAC system keeps on changing the privileges of behold as soon as attribute of the holder are changed in the attribute directory. This is called Attribute Based Access Control. Here, we compare the fields contained in public keys certificate and those in attributes certificate. They both has version, serial number, signature ID, issuer, validity periods, and extension field. The difference are, the subject field is replaced by holder field. The subject public key information key is replaced by a set of attribute. In the following lesson, I will discuss Extensible Access Control Mark-up Language or show name for XACM app.
