| (I) A digital certificate that binds a set of descriptive data
items, other than a public key, either directly to a subject name
or to the identifier of another certificate that is a public-key
certificate. [X509]
(O) "A set of attributes of a user together with some other
information, rendered unforgeable by the digital signature created
using the private key of the CA which issued it." [X509]
(O) "A data structure that includes some attribute values and
identification information about the owner of the attribute
certificate, all digitally signed by an Attribute Authority. This
authority's signature serves as the guarantee of the binding
between the attributes and their owner." [FPDAM]
(C) A public-key certificate binds a subject name to a public key
value, along with information needed to perform certain
cryptographic functions. Other attributes of a subject, such as a
security clearance, may be certified in a separate kind of digital
certificate, called an attribute certificate. A subject may have
multiple attribute certificates associated with its name or with
each of its public-key certificates.
(C) An attribute certificate might be issued to a subject in the
following situations:
- Different lifetimes: When the lifetime of an attribute binding
is shorter than that of the related public-key certificate, or
when it is desirable not to need to revoke a subject's public
key just to revoke an attribute.
- Different authorities: When the authority responsible for the
attributes is different than the one that issues the public-key
certificate for the subject. (There is no requirement that an
attribute certificate be issued by the same CA that issued the
associated public-key certificate.)
|
