Access control meets public key infrastructure, or: assigning roles to strangers

Existing role-based access control mechanisms are extended to provide a simple, modular architecture and easy migration from existing systems. The resulting system automatically collects missing certificates from peer servers. An implementation that can be used as an extension of a web server or as a separate server with interface to applications is discussed.