|  |
Trust Establishment
A tool for enabling trusting relationships between strangers based on Public Key Certificates.
Date Posted: December 30, 1999
|
|
|
|
|
Update: February 4, 2004
Version 1.1.0: A new Lightweight Policy Evaluator module based on the JDK standard X509 certificate API. Can be run side by side with the full Trust Establishment server that is used for creating demo X509 certificates.
What is Trust Establishment?
Trust Establishment is a tool for enabling trusting relationships between strangers based on Public Key Certificates. Instead of checking the log-in user name and password (or doing some simple checks on the issuer/subject's distinguished name (DN)) and then establishing the user role, Trust Establishment can decide on the users' roles based on their certificates and a given policy. The system extends traditional role-based access control systems by validating the certificate and then mapping the certificate owner to a role. Trust Establishment does not make the actual access control decision; rather, it decides who belongs to which groups. The policy provides the rules that determine how to map entities to roles.
Trust Establishment is written in Java and includes an API toolkit that can be used to extend the access control abilities of existing applications or Web servers.
How does it work?
Trust Establishment uses the X509 V3 certificate format; it is designed to support other certificate types, but this type was chosen since it is currently the most commonly used. The certificate subject and issuer are identified by X500 names, where X500 defines a global directory for all names and DN is the distinguished name. Trust Establishment does not use these X500 names, but it keeps a unique identifier for a subject/issuer that is derived from the public key and is kept in the standard extensions, issuer/subject altName.
Trust Establishment decides on the role for the key, so it is not interested in the identity of the user; hence, the X500 names are not really important. They are used because they are obligatory for the X509 format. The certificate is eventually converted to an internal data type.
All certificates and signatures are implemented through the Zurich Crypto Framework package from ZRL. Trust Establishment uses a reduced version that does not include encryption and therefore has no problems with export regulations.
|
|
|
| | About the technology author(s):
No researcher information for Trust Establishment is available at this time. Any questions regarding the creators of this technology will be answered in the discussion forum.
|
|
|
| |
|
