|Authorization is the process of granting or denying access or permission to use a resource in a secured environment. |
This is usually linked to authentication because most computer security systems are based on a two-step process.
The first step is authentication , which identity a user and ensures that he is who claims to be.
The policies of deciding what permissions are given to each user, are made by the owners of the resources. This permissions can be based on a user’s identity or on the user’s role within the organization, or a combination of the two.
An authorization certificate is a digital document that describes a written permission
from the issuer to use a service or a resource
that the issuer controls or has access to use. The permission can be delegated. |
For example this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others.
In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as "update firmware" "access address book" "use radio interface" and the most basic one "install and execute." When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers.
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher's identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors.
This solution prevents the service or resource host from having to use large access control lists. It is similar to the idea of capabilities: store the permission (or permissions) with a protected pointer to the object but not with the object itself.