Network operating systems often include access control systems (security systems) for controlling access to entities that are stored on the network or coupled to the network. The term “entity” includes hardware such as gateways to other networks, printers, and modems, as well as software such as directories, files, application programs, data, records, fields in a record, and cells in a spreadsheet—in other words, virtually any hardware or software resource of a computer network. Regardless of whether the network is simply two computers coupled peer-to-peer, or a wide area network with thousands of users, the access control system for the network will typically require authentication and authorization of the network's users. That is, the system will identify each user that can connect to the network (authentication) and limit the user's access rights to those entities on the network (authorization).
In large networks, a user may need to access a number of different access control systems, either explicitly, through manually logging onto the systems, or implicitly, where an application running on a client workstation interacts with a number of server applications. For example, a user may need to access the functions of an office network from the Internet using a Secured Sockets Layer (SSL) protocol. In such networks, public key cryptographic systems have been widely used to authenticate the user.
Public key cryptographic systems are well known. In public key cryptographic systems, a trusted authority may create a digital message, which contains a user=s public key and the name of the user. A representative of the trusted authority (Certificate Authority) digitally signs the digital message with the authority=s own signature to verify that the public key does indeed belong to the named user. A standard way of encoding such digital messages, known as digital certificates, is described in the X.509 V3 standard. In an X.509 digital certificate, the user's “name” is the user's distinguished name within the X.500 architecture. The X.500 architecture describes a tree-like naming scheme, wherein each entity on the network has a unique, or distinguished, name.
Access control systems for some Internet-based networks employ the user's X.500 distinguished name from the X.509 digital certificate to both authenticate and authorize the user. In such systems, the X.500 distinguished name is mapped (correlated) to user's credentials using a mapping record within a security registry. The mapping record contains a user namespace identification (user ID) or similar logon information corresponding to a single distinguished name. A number of these mapping records are stored in a security registry, which contains at least one mapping record for each digital certificate that the access control system is to recognize. If the X.500 distinguished name is recognized (i.e. contained in one of the mapping records), the ID corresponding to that distinguished name will be used to establish a network access environment wherein the user is provided access authorized entities on the network. One example of such an access control system is described in U.S. Pat. No. 5,922,074, issued on Jul. 13, 1999, and entitled “Method and Apparatus for Providing Secure Distributed Directory Services and Public Key Infrastructure.”
The use of mapping records eliminates the need for the user to authenticate with more than one server on the same network. In addition, the user ID provided by the mapping record can be used to authorize the user's access right to entities on the network. However, the use of mapping records and directory databases have several drawbacks. For example, the number of users that can be supported is limited by the number of mapping records that the database can handle. This drawback is exacerbated by the fact that the mapping record points to one, and only one, user ID.