Verification of X.509 Attribute Certificates for Attribute-based Authorization: A Practical Approach

Access control and authorization technologies are intensively studied nowadays, as they stay at the basis of web-based services, but also in other emerging networks, such as smart cities, Internet of Things and grid computing. To support authorization, the X.509 attributes certificates (associated with corresponding public key certificates) may be employed. The attribute certificates must be properly verified before granting access to the services or (data) objects. This process implies several steps, including formal validity of the attribute certificate and the control of the privileges corresponding to the data contained in the certificate itself. The X.509 standard indicates a dedicated entity, named privilege verifier, in charge of performing these controls before granting access to an object to a privilege holder. This paper describes a possible implementation of a privilege verifier, which exploits a dedicated Attribute Certificate Validation Module (ACVM) to verify attribute certificates. In our approach, we reduce the complexity of the ACVM, which must support also the validation of the public key certificates associated with the attribute certificates, with the help of a specialized public key certificate validation service provided by a client-server architecture we have previously implemented.