"Introduction X.509 public key certificates (PKCs) [X.509-1997] [X.509-2000] [PKIXPROF] bind an identity and a public key. An attribute certificate (AC) is a structure similar to a PKC; the main difference being that the AC contains no public key. An AC may contain attributes that specify group membership@ role@ security clearance@ or other authorization information associated with the AC holder. The syntax for the AC is defined in Recommendation X.509@ making the term ""X.509 certificate"" ambiguous. Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder@ tends to last for a long time@ and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport@ getting a visa can be a simpler process. Authorization information may be placed in a PKC extension or placed in a separate attribute certificate (AC). The placement of authorization information in PKCs is usually undesirable for two reasons. First@ authorization information often does not have the same lifetime as the binding of the identity and the public key. When authorization information is placed in a PKC extension@ the general result is the shortening of the PKC useful lifetime. Second@ the PKC issuer is not usually authoritative for the authorization information. This results in additional steps for the PKC issuer to obtain authorization information from the authoritative source. For these reasons@ it is often better to separate authorization information from the PKC. Yet@ authorization information also needs to be bound to an identity. An AC provides this binding; it is simply a digitally signed (or certified) identity and set of attributes. An AC may be used with various security services@ including access control@ data origin authentication@ and non-repudiation. PKCs can provide an identity to access control decision functions. However@ in many contexts@ the identity is not the criterion that is used for access control decisions; rather@ the role or groupmembership of the accessor is the criterion used. Such access control schemes are called role-based access control. When making an access control decision based on an AC@ an access control decision function may need to ensure that the appropriate AC holder is the entity that has requested access. One way in which the linkage between the request or identity and the AC can be achieved is the inclusion of a reference to a PKC within the AC and the use of the private key corresponding to the PKC for authentication within the access request. ACs may also be used in the context of a data origin authentication service and a non-repudiation service. In these contexts@ the attributes contained in the AC provide additional information about the signing entity. This information can be used to make sure that the entity is authorized to sign the data. This kind of checking depends either on the context in which the data is exchanged or on the data that has been digitally signed. This document obsoletes [RFC3281]. Changes since [RFC3281] are listed in Appendix D."