2nd Annual PKI Research Workshop

Attribute Certificates vs. Attribute Assertions: Panel Summary

Ben Chinowsky, Internet2

Russ Housley proposed two rules for including an attribute in an X.509 certificate: the CA should be authoritative for the attribute, and the expected lifetime of the attribute should not make revocation more likely. He noted that attribute certs (ACs) support both pull usage models, in which the verifier retrieves the cert from a repository, and push models, in which the cert holder sends the cert to the verifier. Housley proposed an attribute authority model in which CAs decide whether or not a given AC issuer is trusted to issue ACs containing a given attribute. After providing an overview of SAML, Carlisle Adams argued that SAML attribute assertions (AAs) are more likely to succeed than ACs — not because they're an inherently better or more mature technology, but because AAs have been more widely accepted by the architects of the surrounding infrastructure. Adams's slides include a diagram illustrating the richness of the supporting infrastructure available in a web services context; for ACs, there is only LDAP. Adams noted that he was once a big fan of ACs, and even contributed to the AC architecture document, but that these infrastructural developments now make AAs his choice.

Points made in the Q&A included:

• At the conceptual level, ACs and AAs are the same. Adams observed that you can think of a SAML assertion as an XML encoding of an AC.
• Attributes tend to be very local. Tim Polk noted that while the director of NIST theoretically owns all of NIST's systems, people don't go to him for authorizations.
• Sometimes you really do need identity. Housley gave the example of getting on an airplane: it's primarily about if you can pay (attribute) but also about who you are (identity). Another real-world example of the importance of identity comes from divorcing couples: one ex-to-be often knows the shared secrets (attributes) of the other, enabling him or her to get access to their financial information for use in court. David Wasley observed that you can look at identity as being a set of attributes together with an MBUN (or similar anonym) from which they can be derived.
• Delegation issues are hard. Housley noted that he'd learned from working on the Defense Message System that the authority appropriate to vouch for identity is often not the same as the authority appropriate to vouch for attributes. Housley also noted the importance of being able to delegate some of your authorizations without delegating all of them; this is a big issue for the Grid community, which is pursuing proxy certs as a solution. Housley suggested that delegation will require certs with lifetimes as short as half a shift, and noted that there is wide variation among users in how fine-grained they want their control over delegation to be; some don't care at all, and others care a lot.
• Attribute authority process is likely to become just as legally cumbersome as CA process. On the other hand, Adams noted that all the legal know-how we've gained from working on X.509 CAs will apply to SAML attribute authorities just as well.