2.5.5.1.2 Authenticate User or Computer Identity by Using an X.509 Certificate

Goal: To authenticate the identity of a user or computer to the AA by using an X.509 certificate.

Context of Use: Same as section 2.5.5.1.1.

Direct Actor: Same as section 2.5.5.1.1.

Primary Actor: Same as section 2.5.5.1.1.

Supporting Actors: Same as section 2.5.5.1.1.

Preconditions:

  • Same as section 2.5.5.1.1.

Minimal Guarantees: Same as section 2.5.5.1.1.

Success Guarantee: Same as section 2.5.5.1.1.

Main Success Scenario:

  1. To prove the identity of the user or computer by using PKI services, the Authentication Client submits to the AA user or computer credential information that consists of the user name or computer account name, the domain name, the user's or computer's X.509 certificate, and a timestamp that is signed by using the certificate.

  2. The AA validates the certificate chain, verifies the signature on the timestamp by using PKI services, and then looks up the account in the account DB. When verification succeeds, the AA returns to the Authentication Client a TGT and a session key encrypted with the public key of the user's certificate.

Postconditions: Same as section 2.5.5.1.1.