The present invention relates to techniques for verifying membership within a group authorized to obtain access to a predetermined resource within a computer network, and more particularly, to the assignment and use of a trust rating in at least one group credential within a set of credentials in determining whether to provide access to the specified resource.
Group credentials, such as group membership certificates, group non-membership certificates and group membership lists are used in computer networks to indicate whether a user or another group is authorized to obtain access to predetermined resources. When a certification authority issues a group credential, the issuer is making a certified statement with respect to the membership status of one or more users or groups. In some cases, the issuer may be using information from another source to determine whether or not to issue a group credential. The information obtained from the other source, however, may have varying levels of trustworthiness.
Certificate policies as described in the ITU-T Recommendation X.509 have been used in the past in the context of identity certificates. As described in the X.509 Recommendation, when a certification authority (CA) issues an identity certificate for a subject, the CA is able to mark the identity certificate with a policy that describes the circumstances under which the certificate was issued. Such policies have included information indicative of the reliability of the binding between the principal name and an associated public key.
It would be desirable, when evaluating a set of credentials including at least one group credential to have a mechanism for evaluating the set of credentials to ascertain a level of confidence that should be ascribed to the set of credentials in deciding whether or not to grant a user access to a predetermined resource.