It is truly a piece of user identity, packaged in a way that can
travel together with service requests; it is also a way of transmitting
user credentials, or at least a means of performing authentication
operations. The presence of the statements part allows
nearly immediate authorization operations, too. A token is not
issued by a CA, but by a functional equivalent. The details of the
authority that issue tokens will vary depending on the technology
used for implementing the scheme.
Certi?¬?cates are
static
Issued tokens can
have the same
cryptographic
strengths of certi?¬?-
cates, yet at the
same time be more
expressive and
much faster to
obtain
The Babel of Cryptography 71
Many network infrastructure software products make use of
token-based schemas. After users log in to the network, they are
typically assigned by an authority a token that represents their
identity in term of their access rights (or information useful to
deduce access rights). Every time an account attempts to gain
access to a resource, the information contained in the token is
combined with the policy associated with the resource itself
(often codi?¬?ed in form of an access control list, or ACL), and an
authorization decision is made.
Pages:
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138