Research On Delegation Model Of Privilege Management Infrastructure

With the rapid development of the Internet and electronic commerce, it is required that service division should be more and more specialized and fine-sorted. As a result, Public-key Infrastructure (PKI), which has both the function for the authentication and the function for the authorization, has become maladjusted in the present information technology society. Therefore Privilege Management Infrastructure (PMI) as the logic extension of the PKI has come into being, with the main purpose to develop a new pervasive Infrastructure for the privilege management. In this thesis the attribute certificate authorization mechanism of the PMI is thoroughly investigated.However, in a large-scale PKI/PMI system, it is necessary to separate the AC Authority. In this way, it will avoid bottleneck problems and meet the principle of minimizing duties. So, it is necessary to research the application of delegation model.Because of its Characteristic of distributed authorization, X.509v4(2000) PMI delegation model has the complexity of information collection and the difficulty in implementation of the new policy. The concept of Delegation Issuing Service (DIS) was proposed in X.509 2005 draft amendment. The certificate extension to support this new concept was given in this document too. But it is assumed that the ACs be legal which was issued before the AA's Revocation. Therefore, the X.509 PMI delegation model lacks flexibility in practicality.On the basic of the study on the X.509v4(2000) delegation model, a delegation issue-based PMI privileged delegation model was designed to deal with the defects in X.509v4(2000) PMI delegation model and the DIS-based PMI delegation model. It gives the Implementation Mechanism of the new model such as the application and Validation of the certificates. The model is based on the concept of DIS. Thus, it is more convenience in certificate information collection and key management. Meanwhile, the new model is more flexible in practicality by means of defining the new attribute certificates chain policy.