Policy Certificate
Security Hompage
![]() ![]() ![]() ![]() |
Policy certificates can be placed anywhere in the resource hierarchy where a stakeholder wishes to set access policy for that resource or its subtree. If an policy certificate exists for a resource, it must specify at least one use condition issuer group who has issued a use-condition for this resource. If an policy certificate exists for a resource and no matching use-condition can be found, all access will be denied to that resource.
If no policy certificate exists for a resource, the access policy will be inherited from the parent resource. A certificate policy is signed by one of the stakeholders mentioned in the certificate. This is equivalent to a self-signed certificate, which implies that these certificates must be installed into the resource tree by a trusted administrator.
<AkentiCertificate> <SignablePart> <Header type="Policy" SignatureDigestAlg="RSA-MD5" CanonAlg="AkentiV1"> (...) </Header> <PolicyCert> <ResourceName>ResName</ResourceName> <CAInfo> <CADN>/C=US/O=Lawrence Berkeley National Laboratory/OU==ICSD/CN=IDCG-C</CADN> <X509Certificate> -----BEGIN CERTIFICATE----- pem encoded X509 certificate of CA -----END CERTIFICATE----- </X509Certificate> <IdDirs> <URL> ldap://idcg-ca.lbl.gov/</URL> </IdDirs> <CRLDirs> <URL> ldap://idcg-ca.lbl.gov/</URL> </CRLDirs> </CAInfo> <UseCondIssuerGroup> <Principal> <UserDN>/C=US/O=LBNL/OU=ICSD/CN=Mary R. Thompson</UserDN> <CADN> /C=US/O=LBNL/OU=ICSD/CN=IDCG-CA</CADN> </Principal> <URL> http://www-itg.lbl.gov/~mrt/Certificates/</URL> <UseCondIssuerGroup> <AttrDirs> <URL>file:/usr/mrt/Attributes</URL> <URL> http://idcg-ds.lbl.gov/~kjackson/Certificates/</URL> </AttrDirs> <CacheTime>1800</CacheTime> </PolicyCert> </SignablePart> </AkentiCertificate>
Name of of the resource to which the policy certificate applies.
The CA certificates are placed in this certificate by the administrator of the resource tree. They are obtained in a trusted manner from the respective CAs.
One or more principals (stakeholders), followed by one or more replicated directories in which their use-condition certificates are stored. Akenti must find a least one use-condition certificate from each UseCondIssuerGroup in order to grant any access
URLS of places to search for attribute certificates. File URL assumes the Akenti server has direct file read access to the directory; htto URL assumes a Web server is running on the specified host aaand will return the certificates, ldap assumes there is an ldap server running on the default port on the specified host.
Maximum allowed cache time in seconds. In satisfiying use conditions for this resource only certificates that have been cached less than this time will be used. Older cached certificates will be refetched.