Certificate chain discovery in SPKI?SDSI
Journal of Computer Security
Distributed credential chain discovery in trust management
Journal of Computer Security
A Logic-based Knowledge Representation for Authorization with Delegation
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Reducing the dependence of SPKI/SDSI on PKI
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
Hi-index | 0.00 |
The WS-* specification set defines a message authentication model for web services. This model targets the authentication of messages exchanges in large scale decentralized systems, composed by different authentication domains. However, it has scalability and flexibility limitations: the acquirement of identity claims requires online interactions with security token services, which introduces communication overhead and creates performance bottlenecks; the services' policies, containing its requirements, must directly point to the issuing security token services, limiting the flexibility of the trust relations. We present a new model, addressing these limitations, using two concepts from the trust management paradigm: credentials for claim inference and claim-based issuer references (attribute based delegation). We show how credentials are used both to increase the scalability, reducing the number of online token requests, and to increase the flexibility by allowing indirect trust relations, namely claim based delegation. We also show how the simultaneous usage of security tokens and credentials results in several advantages of our model, when compared to credential only trust management models. The proposed model fits nicely into the WS-* framework, namely into its message security model and policy language. We illustrate this with the implementation of an extension to the Windows Communication Foundation - a commercial grade web services platform - that provides support for this model.