FPKIPA Rich Attribute Exchange with PKI Certificates

Executive Summary

Public key certificates provide a very strong authentication mechanism. However, they contain very little information about the end user. This limits the relying party, particularly regarding authorization decisions. Since higher assurance authentication is becoming increasingly necessary, there is increasing adoption of public key certificates. Therefore, relying parties need “rich attribute exchange” in context of public key certificate based authentication, to have the information necessary for such things as authorization. This paper highlights viable options for rich attribute exchange, focusing on getting the attributes to the relying party. This includes four (4) conceptually different approaches (and alternative implementations of each):

• Prompt the End User;

• Web Based Identity Standard;

• Provisioning; and

• Attributes in Certificates.

For each approach, this paper discusses essential considerations such as attribute extensibility, confidentiality, information assurance, and complexity. A listing of pros and cons highlights critical points. In addition, transaction flow diagrams highlight the workings of each approach. The paper concludes by summarizing and comparing the approaches in a set of tables.

Comparisons are at both a high level and a detailed level. Color-coding indicates how each approach fairs per essential consideration. The appendices provide brief overviews of technologies potentially useful to rich attribute exchange. The glossary explains essential terms and concepts used throughout the document.

XML.org Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | XML.org | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I