The art of Prolog: advanced programming techniques
The art of Prolog: advanced programming techniques
Delegation logic: A logic-based approach to distributed authorization
ACM Transactions on Information and System Security (TISSEC)
DATALOG with Constraints: A Foundation for Trust Management Languages
PADL '03 Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages
SD3: A Trust Management System with Certified Evaluation
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Flexible access control policy specification with constraint logic programming
ACM Transactions on Information and System Security (TISSEC)
Cassandra: Distributed Access Control Policies with Tunable Expressiveness
POLICY '04 Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks
Secure Context-Sensitive Authorization
PERCOM '05 Proceedings of the Third IEEE International Conference on Pervasive Computing and Communications
Automated trust negotiation using cryptographic credentials
Proceedings of the 12th ACM conference on Computer and communications security
Hi-index | 0.00 |
In open systems, the verification of properties of subjects is crucial for authorization purposes. Very often access to resources is based on policies that express (possibly complex) requirements in terms of what are referred to variously as identity properties, attributes, or characteristics of the subject. In this paper we provide an approach that an entity called a verifier can use to evaluate queries about properties of a subject requesting resources that are relevent deciding whether the requested action is authorized. Specifically, we contribute techniques that enable reuse of previously computed query results. We consider issues related to temporal validity as well as issues related to confidentiality when one entity reuses query results computed by another entity. We employ constraint logic programming as the foundation of our policy rules and query evaluation. This provides a very general, flexible basis, and enable our work to be applied more or less directly to several existing policy frameworks. The process of evaluation of a query against a subject identity is traced through a structure, referred to as identity proof tree, that carries all information proving that a policy requirement is met.