At the technical level, we can foresee two different logical and technical approaches in order to solve the "attributes certification" problem being faced:

1. Centralised approach
   Where the PKI Certification Authority (CA), in addition to authenticating the identity of a party, is itself in charge both to verify the attributes and to certify those attributes. From a technical point of view, the certified attributes could be stored directly in the certificate, usually in the X509 standards extension, however every time an attribute changes, the certificate would have to be revoked and then re-issue. Another option would be to store them in a parallel certified database managed by the CA; this model has been adopted, for instance, by Enterprise CA & XUDA of Xcert.
   
   
2. Distributed approach
   Where the personal identity information is certified by the PKI CA and all other information is provided and certified by the "direct" owner (or manager) of the attribute information (i.e. the university for a registered student, a medical or engineering association for professionals, etc…), From a technical point of view, "matching" codes and procedures are available in order to link the identity certificate to all the other attributes available on the Internet.

The PERMIS project intends to explore and to demonstrate the feasibility of the distributed approach. The fundamental objective is to set-up and to demonstrate an "infrastructure" able to solve both the AUTHENTICATION and the AUTHORISATION issues, letting each attribute owner or manager directly certify the attributes of individuals.

The assumption which we intend to demonstrate, is that the distributed approach, if proved feasible, would be inherently much more democratic (no big centralised database gathering all kinds of personal information), manageable in administrative terms (any attribute change would be immediately made available to interested parties) and, for these reasons, successful.

Three secure applications have been developed and demonstrated, one in each of three European cities (Barcelona, Bologna, Salford) in order to prove the validity of the entire infrastructure (i.e. an interoperable and scalable PKI and PMI able to solve any issue related to identification, authentication and authorisation in an e-Government environment) and in order to prove the usefulness and success of such electronic services.

The project uses public-key infrastructures (PKI) necessary to securely manage public keys for widely-distributed users or systems and required to provide encryption and digital signature services. The PERMIS PKIs will be compliant to the X.509 standard, a widely-accepted basis for such an infrastructure, defining data formats and procedures related to distribution of public keys via certificates digitally signed by certification authorities (CAs); PKI technology solves the problem of "who is this person" trying to do business with you, by providing strong identification and authentication with digital certificates, and allows reliable business communications by providing privacy and data integrity through the use of encryption and non repudiation through the use of digital signatures.

The PERMIS project designed and built a completely new infrastructure, a so called "Privilege Management Infrastructure" (PMI) that can be defined as the complete set of processes required to provide an authorisation service.