UseCondition Certificate

A UseCondition Certificate is a signed document that requires one or more attributes as a condition for an operation on a named resource. Taken together, all of the use-conditions define the group of entities that are permitted to access a resource (object or groups of objects). Each use-condition is, in effect, a piece of an access control list. UseCondition Certificates are created and signed by resource stakeholders. The stakeholder should store the Certificates in a directory that is accessible by the Akenti server, e.g in a Web Server, an LDAP server or on the resource gateway machine.

Contents of Use Condition Certificate

Resource name by which the resource is referenced
This may name a single object or refer to all the objects in the specified subtree.
Scope - whether this UseCondition applies only to the named resource or to all the resources in that subtree
Critical boolean - if true this UseCondition must be satisfied or a user will get no access to the resource.
UseCondition which consists of
- A boolean expression combining attributes and values that the user must have. An atribute type can be one of: SYSTEM, X509, AKENTI or EXT_AUTH.
- An array of attribute information for each attribute/value which includes the authorities that may vouch for the attributes and optionally a list of places to search for the attribute certificates.
The list of the actions that are allowed.

Example of XML Use Condition Certificate

<AkentiCertificate>
  <SignablePart>
    <Header type="UseCondition" SignatureDigestAlg="RSA-MD5" CanonAlg="AkentiV1">
        (...)
   </Header>
   < UseConditionCert scope="sub-tree" enable="false"> 
     <ResourceName>DieselCollab/PREServer/chad </ResourceName>
     <Condition> 
       <Constraint>(( cn = Diane Gomes ) | ( cn = Mary R. Thompson ))</Constraint>
       <AttributeInfo type="X509">
          <AttrName>cn</AttrName>
          <AttrValue>Diane Gomes</AttrValue>
          <CADN>/C=US/O=Diesel Combustion Collaboratory/OU=SNL/CN=DieselCert.ca.sandia.gov </CADN>
       </AttributeInfo>
       <AttributeInfo type="X509">
          <AttrName>cn</AttrName>
          <AttrValue>Mary R. Thompson</AttrValue>
          <CADN>/C=US/O=LBNL/OU=ICSD/CN=IDCG-CA</CADN>
       </AttributeInfo>
    </Condition>
    <Rights>read,execute </Rights>
  </UseConditionCert>
  </SignablePart>
</AkentiCertificate>

See Akenti Certificate Specification for the complete details.

Page last modified: Tuesday, 21-May-2002 19:52:44 PDT Contact: MRThompson@lbl.gov <Akenti development group> Credits:Distributed Security research and development is funded by the U.S. Dept. of Energy, Office of Science, Office of Advanced Scientific Computing Research, Mathematical, Information, and Computational Sciences Division. Privacy and site security notice to Users