Privilege Management Infrastructure

Privilege Management is the process of managing user authorisations based on the ITU-T Recommendation X.509. The 2001 edition of X.509 specifies most (but not all) of the components of a Privilege Management Infrastructure (PMI), based on X.509 attribute certificates (ACs). Later editions of X.509 (2005 and 2009) have added further components to the PMI, including a delegation service (in 2005 ) and interdomain authorisation (in the 2009 edition ). Privilege Management is the process of managing user authorisations based on the ITU-T Recommendation X.509. The 2001 edition of X.509 specifies most (but not all) of the components of a Privilege Management Infrastructure (PMI), based on X.509 attribute certificates (ACs). Later editions of X.509 (2005 and 2009) have added further components to the PMI, including a delegation service (in 2005 ) and interdomain authorisation (in the 2009 edition ). Privilege management infrastructures (PMIs) are to authorisation what public key infrastructures (PKIs) are to authentication. PMIs use attribute certificates (ACs) to hold user privileges, in the form of attributes, instead of public key certificates (PKCs) to hold public keys. PMIs have Sources of Authority (SoAs) and Attribute Authorities (AAs) that issue ACs to users, instead of certification authorities (CAs) that issue PKCs to users. Usually PMIs rely on an underlying PKI, since ACs have to be digitally signed by the issuing AA, and the PKI is used to validate the AA's signature.