Attribute Certificates and their Limitations
A critical review of "Attribute Certificates" and the problems associated with using them to convey special rights and credentials. First appeared in the Quarterly Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence Issue 3, 2000. Reproduced with persmission.
See also the more recent Lockstep whitepaper Relationship Certificates.
Attribute certificates are in vogue amongst some vendors and pundits, for conveying business credentials, independent from the holder's identity certificate. They are a new technology, supported by a handful of Certificate Authority (CA) vendors and only recently covered by the latest version of the X.509 digital certificate standard. They ought to be approached with caution on this basis alone. But more fundamentally, users should consider that 'identity' naturally comes in different guises, and should not be separated so strictly from 'attributes'. Traditional 'identity' certificates are in fact a powerful means for conveying business credentials in most e-business applications.
|CCE Journal Issue 3||PDF, 1.28Mb|