A certificate is a document that attests to the truth of something or the ownership of something. In the world of computing, digital certificates serve a variety of functions. For example, a digital certificate may authenticate some entity by establishing that the entity is in fact what it claims to be. A digital certificate may also authorize an entity by establishing that the entity is entitled to access a restricted resource.
Certificates are very useful, and are at the present time experiencing increased use. Expression and enforcement of security policies is an increasingly important enterprise capability. The number of certificate formats is also proliferating. Some of the more popular certificate formats available today are the X.509, the Security Assertion Markup Language (SAML) security token, XrML 1.2, and MPEG-REL. Note that MPEG-REL has a number of variations and goes by a number of names, including XrML 2.x, MPEG ISO-REL, and ISO-REL. The acronym MPEG-REL, as used here, refers at least to all of these above-listed variations.
To illustrate the various functions and formats of the above exemplary certificates, X.509 certificates adhere to their own format and typically represent identity. SAML certificates adhere to their own XML schema and are widely used in federated identity solutions. XrML 1.2 and MPEG-REL (a.k.a. XrML 2.x) express use policy for a resource and adhere to their own XML schema.
Services and products exist today which produce and consume certificates. A problem arises, however, when a client that possesses a certificate in a first format encounters a server that consumes only certificates of a second format. At best, this may result in inefficiency as the client attempts to obtain an appropriately formatted certificate, or by requiring the client to determine beforehand which certificate format is required by the server. At worst, it results in an interoperability failure.
Another weakness of present certificate issuing systems is that it is difficult to modify the circumstances under which a certificate may issue, the “certificate issuing policy.” In present systems, the policy is expressed as compiled algorithms in the certificate issuing system binary code or as a specifically modeled, “brittle” set of configuration parameters. Altering the enforcement policy requires recoding, recompiling and redeploying a new certificate issuing system binary. Thus, as a practical matter, certificate issuing policies are limited to those preconceived by certificate issuing system programmers. To change the policy, a certificate issuing system may have to be entirely recoded. This can take a product development team a significant amount of time and effort to accomplish.
Therefore, there is an unmet need in the industry to provide increased interoperability in certificate issuing as well as to facilitate changes to certificate issuing policies.