Method and system for a PKI-based delegation process

摘要

A client generates a session key and a delegation ticket containing information for a requested delegation operation. The client generates a first copy of the session key and encrypts it using a public key of a proxy. The client generates a second copy of the session key and encrypts it using a public key of a server. The client then puts the encrypted session keys and delegation ticket into a first message that is sent to the proxy. The proxy extracts and decrypts its copy of the session key from the first message. The proxy then encrypts a proof-of-delegation data item with the session key and places it and the delegation ticket along with the encrypted copy of the session key for the server into a second message, which is sent to the server. The server extracts and decrypts its copy of the session key from the second message and uses the session key to obtain the proof-of-delegation data. Authority is successfully delegated to the proxy only if the server can verify the proof-of-delegation data.