
If we are talking about the ITU-T X.509 recommendation, the first aspect that would come to mind is binding public keys to specific subjects in an authentic way, be it a signing, a seal or an SSL certificate.But there is significantly less talk about an other type of certificates specified the recommendation, namely attribute certificates, that are rarely used, although they have several potential application areas.
If we want to electronically verify our specific roles (e.g. company representation, work title etc.) to an other party, we have several possible ways to do so. From these, the most trivial one may be to include it in our certificate; however, this may not be the best possible solution; on one hand, if said role changes, it means that the whole certificate has to be revoked; on the other hand, we do not want all of our data stored in one place by the party who manages our certificates by all means. Our other solution is essentialy that our role-specific data is not stored by a certification authority that issues our public key certificate, but by the party that originally has access to said data anyway – a basic example can be an employer’s certificate. If we choose this solution, attribute certificates can be of great help.
By definition, an attribute certificate is a verification that is binded to a public key certificate or its subject, and can be used to verify one or more roles, privileges or properties (alltogether: attributes) of the subject. Because the attribute certificates do not contain a public key, no signature creation device is needed for their usage. It is important that the attribute certificate always references the public key certificate in some manner, so it can be determined if the two belong together; this reference can be indicated in different ways; the attribute certificate could contain the certificate’s issuer’s DN or serial number (baseCertificateID), the subject of the public key certificate (entityName) or the public key certificate’s cryptographic hash (objectDigestInfo).
In spite of the several and detailed technical standards and specifications (from which the most up-to-date one is RFC 5755), attribute certificates have no explicit specified legal effect (at least not on the European/eIDAS level), although the recent draft of the eIDAS revision includes a new trust service, called „electronic attestation of attributes”, however, this is not about attribute certificates but blockchains. Legal effect of attribute certificates would mean a great possibility for Europe (or for Hungary at least), so we may hope that one day it will be specified in eIDAS as well.
© 2023 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41