X.509. In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. History and usage[edit] X.509 was initially issued on July 3, 1988 and was begun in association with the X.500 standard. It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. This contrasts with web of trust models, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. Version 3 of X.509 includes the flexibility to support other topologies like bridges and meshes (RFC 4158).
Certificates[edit] X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKI systems. Structure of a certificate[edit] Security[edit] Authorization certificate. In computer security, an attribute certificate, or' authorization certificate' (AC) is a digital document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for authorization purpose, AC is called authorization certificate. AC is standardized in X.509. RFC 5755 further specifies the usage for authorization purpose in the Internet. Comparison of attribute and public key certificates[edit] An AC resembles a PKC but contains no public key because an AC verifier is under the control of the AC issuer, and therefore, trusts the issuer directly by having the public key of the issuer preinstalled. The verification of an AC requires the presence of the PKC that is referred as the AC holder in the AC.
As with a PKC, an AC can be chained to delegate attributions. Usage[edit] A user may also need to obtain several ACs from different issuers to use a particular service. Contents of a typical attribute certificate[edit] Benefits[edit] x509 v3 attribute certificate. X509V2AttributeCertificate (Bouncy Castle Library 1.37 API Specification) x509certificate - Create X.509 Authorization Certificate. RFC 5755 - An Internet Attribute Certificate Profile for Authorization. [Docs] [txt|pdf] [draft-ietf-pkix-3...] [Diff1] [Diff2] [Errata] PROPOSED STANDARD Errata Exist Internet Engineering Task Force (IETF) S. Farrell Request for Comments: 5755 Trinity College Dublin Obsoletes: 3281 R. Housley Category: Standards Track Vigil Security ISSN: 2070-1721 S. Turner IECA January 2010 Abstract This specification defines a profile for the use of X.509 Attribute Certificates in Internet Protocols.
Attribute certificates may be used in a wide range of applications and environments covering a broad spectrum of interoperability goals and a broader spectrum of operational and assurance requirements. RFC 5755 AC Profile for Authorization January 2010 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. RFC 5755 AC Profile for Authorization January 2010 Table of Contents 1. RFC 5755 AC Profile for Authorization January 2010 10. 1. 1.1. 1.2. 1.3. AttributeCertificates.pdf.