RFC 5755 further specifies the usage for authorization purpose in the Internet.
If it matches, the verifier will check the validity period of the AC.
If the AC is still valid, the verifier can perform additional checks before offering the user a particular level of service or resource usage in accordance to the attributes contained in the AC.
After authenticating the developer using the PKC and reviewing the software, the manufacturer may decide to issue an AC granting the software the basic capability to install itself and be executed as well as an additional capability to use the Wi-Fi device following the principle of least privilege.
In this example, the AC does not refer to the PKC of the developer as the holder but to the software, for example, by storing the developer's signature of the software in the holder field of the AC.
For example, a company gives one of its employees a company-wide AC that specifies engineering department as the work area.
Using attribute certificate, the service or resource host does not need to maintain an access control list that can potentially be large or to always be connected to a network to access a central server like when using Kerberos.
It is similar to the idea of capabilities in which the permission (or permissions) to use a service or resource is not stored in the service or resource itself but in the users using a tamper resistance mechanism.