Skip to main content
Article thumbnail
Location of Repository

The X.509 Privilege Management Infrastructure

By David W. Chadwick


This paper provides an overview of the Privilege Management Infrastructure (PMI) introduced in the 2000 edition of X.509. It describes the entities in the infrastructure: Sources of Authority, Attribute Authorities and Privilege Holders, as well as the basic data structure - the attribute certificate - that is used to hold privileges. The contents of attribute certificates are described in detail, including the various policy related extensions that may be added to them. The similarities between PMIs and PKIs are highlighted. The paper also describes how attribute certificates can be used to implement the three well known access control schemes: DAC, MAC and RBAC. Finally the paper gives an overview of how a privilege verifier might operate, and the various types of information that need to be provided to it

Topics: QA76
Publisher: IOS Press
Year: 2004
OAI identifier:

Suggested articles


  1. (1994). Access controls, principles and practice”. doi
  2. (2003). Implementing Role Based Access Controls Using X.509 Attribute Certificates”, doi
  3. (2000). ISO/IEC 9594-8 The Directory: Authentication Framework
  4. (2002). Otenko “The PERMIS X.509 Role Based Privilege Management Infrastructure”. doi
  5. (2002). RBAC Policies in XML for X.509 Based Privilege Management” doi
  6. (1996). Role Based Access Control Models”. doi
  7. The EC PERMIS, see and
  8. The EC PERMIS, see and 12

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.