Adding support to XACML for dynamic delegation of authority in multiple domains

Authors:
David W Chadwick;Sassa Otenko;Tuan Anh Nguyen
Affiliations:
Computing Laboratory, University of Kent, Canterbury, Kent;Computing Laboratory, University of Kent, Canterbury, Kent;Computing Laboratory, University of Kent, Canterbury, Kent
Venue:
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Year:
2006

Citing 7
Cited 4

Proposed NIST standard for role-based access control

ACM Transactions on Information and System Security (TISSEC)
Certificate chain discovery in SPKI?SDSI

Journal of Computer Security
Distributed credential chain discovery in trust management

Journal of Computer Security
Constrained Delegation

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
First experiences using XACML for access control in distributed systems

Proceedings of the 2003 ACM workshop on XML security
Authorisation Using Attributes from Multiple Authorities

WETICE '06 Proceedings of the 15th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Using XACML for privacy control in SAML-based identity federations

CMS'05 Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

Modelling task delegation for human-centric eGovernment workflows

Proceedings of the 10th Annual International Conference on Digital Government Research: Social Networks: Making Connections between Citizens, Data and Government
Deductive policies with XACML

Proceedings of the 2009 ACM workshop on Secure web services
A role-based XACML administration and delegation profile and its enforcement architecture

Proceedings of the 2009 ACM workshop on Secure web services
Recognition of authority in virtual organisations

TrustBus'07 Proceedings of the 4th international conference on Trust, Privacy and Security in Digital Business

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.