[3941] in WWW Security List Archive
Re: Certificate based ACL model
daemon@ATHENA.MIT.EDU (si10875@ci.uminho.pt)
Wed Jan 8 21:00:10 1997
From: si10875@ci.uminho.pt
Date: Wed, 8 Jan 1997 22:44:22 +0100
To: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
> I am trying to develop an ACL model for the security of content on our
> intranet.
>
> Scalability is a problem with the userid/passwd or group/passwd model
> provided by major servers.
>
> We have approx 20,000, geographically distributed, current users on a
> variety of Wintel and UNIX platforms.
>
> We can effectively limit our model to dealing with IE3.1+ and NS
> Navigator 3.01+ as far as browsers go and
> limit it to IIS and Netscape SSL capable servers.
>
> I was intrigued by Marc Andreesen's Tech Vision columns about
> interoperable security:
>
> http://home.netscape.com/comprod/columns/techvision/interoperable_securi
> ty.html
>
> and I think we want to do something along those lines.
>
> What I have in mind is this:
>
> I. Issue personal certificates for various groupings. For example,
> one authority would issue certificates to
> employees, another would issue certificates to contractors, and so on.
>
> II. Content providers would then restrict access to their content
> based upon the issuer of the certificates.
>
>
> Marc Andreesen's column implied, (however loosely), that this form of
> access control was available on servers today. That is, you could
> discriminate based upon the certificate authority.
>
> I quote:
>
> .."For administrators, certificates can also simplify access control
> of servers and other resources: Rather than maintaining lengthy username
> and password lists at each server, administrators can simply configure a
> server to accept only certificates signed by a particular authority.
> Issuing certificates thus becomes a basic element of adding a new user,
> similar to adding a telephone extension".
>
> My questions are:
>
> 1. Is this capability available now or in a future release of the
> Netscape servers?
> 2. If it is available now, how do you do it?
> 3. Has anyone tried it?
> 4. How about Microsoft IIS?
> 5. Are the current versions of the two major browsers capable of
> doing this, (personal certificates)?
> 3. Do we have to do it by using different certificate authorities or
> are there other certificate attributes we can use?
>
> Any help will be greatly appreciated,
>
> Andy Frush
> jaf@shellus.com
This issue of controlling access to a web site through certificates interests
me too.
I can tell you nothing about Netscape servers, but I know that with Microsoft
IIS you can't even request client certification!
In what concerns browsers, Netscape handles any kind of personnal certificate,
it let's you define the Certification Authorities it should trust. I think
Internet Explorer only accepts the standard Certification Authorities that come
with it.
I am willing to hear the answers to your 6th question, (the second 3.) if there are any other
attributes on certificates that can be used for access control.
Jorge
