Authorization is the half of access control that deals with privilege (authentication is the other half, which deals with identity). Most people are familiar with access control lists (ACLs), which are a form of centralized authorization. Certificates are the principal method of implementing decentralized authorization.

In centralized auth, each time an entity wants to access some resource, the gatekeeper in charge of that resource verifies the entity's entitlement against a centralized authorization database. In decentralized auth, the gatekeeper checks a signed credential which the entity presents.

The centralized system has the advantage that revocation of privilege is immediate, although it gains this at the cost of a slower authorization mechanism - each request needs to return to the authoritative data store, which leads to a scalability issue.

Decentralized auth has the reverse setup - verifications are fast, and scale nicely - each entity receives its credential once from a central authority, and use it many times at the edge - at the cost of slow revocation. Each gatekeeper must maintain an authoritative negative permission list, instead of the positive list.