Implementing a distributed firewall
Proceedings of the 7th ACM conference on Computer and communications security
Certificate chain discovery in SPKI?SDSI
Journal of Computer Security
A model of OASIS role-based access control and its support for active security
ACM Transactions on Information and System Security (TISSEC)
Delegation logic: A logic-based approach to distributed authorization
ACM Transactions on Information and System Security (TISSEC)
Compliance Checking in the PolicyMaker Trust Management System
FC '98 Proceedings of the Second International Conference on Financial Cryptography
SPKI Performance and Certificate Chain Reduction
Informatik bewegt: Informatik 2002 - 32. Jahrestagung der Gesellschaft für Informatik e.v. (GI)
Distributed credential chain discovery in trust management
Journal of Computer Security
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Design of a Role-Based Trust-Management Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Binder, a Logic-Based Security Language
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Decentralized Trust Management
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Using certified policies to regulate E-commerce transactions
ACM Transactions on Internet Technology (TOIT)
Authorization through trust chains in ad hoc grids
Proceedings of the 2009 Euro American Conference on Telematics and Information Systems: New Opportunities to increase Digital Citizenship
Hi-index | 0.00 |
Delegation, whereby an entity gives some of its rights to other entities, is considered the cornerstone of decentralized authorization, and many access control frameworks proposed recently make delegation its central tenet. In these frameworks, delegation is commonly viewed as a transfer between two autonomous agents---the grantor and the grantee. But the situation can be considerably more complex, and more challenging, in the case the grantor belongs to an organization. Generally, employees are not autonomous agents, but their actions are subject to the regulations of their enterprise. In particular, if an employee transfers his rights to another agent, this transfer is subject to the enterprise delegation policies.In delegation frameworks, authorizing a request requires finding a valid chain of credentials that delegates the authority from the source (the local policy of the entity that serves the request) to the requester. Unfortunately, chain discovery is a computationally expensive and time consuming task. It was shown that, in the general case, chain discovery is undecidable, and in more restrictive cases, it is polynomial in the number of credentials available to the server. Verifying compliance with the terms of a delegation policy adds a considerable overhead to request authorization.This paper presents a framework that considerably reduces the time required to authorize a request. In this framework, a delegation chain is condensed into a single credential, called chained delegation certificate (CDC). A CDC attests that the owner has a certain right, and serves as proof that every link in the chain complies with the policy governing delegation of the right in question. When CDCs are used for authorization, a server does not need to verify compliance with the delegation policy, nor does it need to perform the chain discovery step, and therefore requests are served considerably faster.