[3939] in WWW Security List Archive
Certificate based ACL model
daemon@ATHENA.MIT.EDU (Frush JA (Andy) at MSXSSC)
Mon Jan 6 23:13:37 1997
From: "Frush JA (Andy) at MSXSSC" <AF186306@shellus.com>
To: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Cc: "East JT (Tom) at UNIX" <EAST@shellus.com>
Date: Mon, 6 Jan 1997 15:14:31 -0600
Errors-To: owner-www-security@ns2.rutgers.edu
I am trying to develop an ACL model for the security of content on our
intranet.
Scalability is a problem with the userid/passwd or group/passwd model
provided by major servers.
We have approx 20,000, geographically distributed, current users on a
variety of Wintel and UNIX platforms.
We can effectively limit our model to dealing with IE3.1+ and NS
Navigator 3.01+ as far as browsers go and
limit it to IIS and Netscape SSL capable servers.
I was intrigued by Marc Andreesen's Tech Vision columns about
interoperable security:
http://home.netscape.com/comprod/columns/techvision/interoperable_securi
ty.html
and I think we want to do something along those lines.
What I have in mind is this:
I. Issue personal certificates for various groupings. For example,
one authority would issue certificates to
employees, another would issue certificates to contractors, and so on.
II. Content providers would then restrict access to their content
based upon the issuer of the certificates.
Marc Andreesen's column implied, (however loosely), that this form of
access control was available on servers today. That is, you could
discriminate based upon the certificate authority.
I quote:
.."For administrators, certificates can also simplify access control
of servers and other resources: Rather than maintaining lengthy username
and password lists at each server, administrators can simply configure a
server to accept only certificates signed by a particular authority.
Issuing certificates thus becomes a basic element of adding a new user,
similar to adding a telephone extension".
My questions are:
1. Is this capability available now or in a future release of the
Netscape servers?
2. If it is available now, how do you do it?
3. Has anyone tried it?
4. How about Microsoft IIS?
5. Are the current versions of the two major browsers capable of
doing this, (personal certificates)?
3. Do we have to do it by using different certificate authorities or
are there other certificate attributes we can use?
Any help will be greatly appreciated,
Andy Frush
jaf@shellus.com
