Distributed Credential Chain Discovery in Trust Management with Parameterized Roles and Constraints (Short Paper)

  • Ziqing Mao
  • Ninghui Li
  • William H. Winsborough
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


Trust management (TM) is an approach to access control in decentralized distributed systems with access control decisions based on statements made by multiple principals. Li et al. developed the RT family of Role-Based Trust-management languages, which combine the strengths of Role-Based Access Control and TM systems. We present a distributed credential chain discovery algorithm for RT 1 C , a language in the RT family that has parameterized roles and constraints. Our algorithm is a combination of the logic-programming style top-down query evaluation with tabling and a goal-directed version of the deductive database style bottom-up evaluation. Our algorithm uses hints provided through the storage types to determine whether to use a top-down or bottom-up strategy for a particular part of the proof; this enables the algorithm to touch only those credentials that are related to the query, which are likely to be a small fraction of all the credentials in the system.


Trust Management Parameterized Role Deductive Database Forward Search Constraint Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 164–173. IEEE Computer Society Press, Los Alamitos (1996)CrossRefGoogle Scholar
  2. 2.
    Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model-checking. In: CONCUR 1997. LNCS, vol. 1256, pp. 135–150. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Chen, W., Warren, D.S.: Tabled evaluation with delaying for general logic programs. Journal of the ACM 43(1), 20–74 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Clarke, D., Elien, J.-E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)Google Scholar
  5. 5.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory. IETF RFC 2693 (September 1999)Google Scholar
  6. 6.
    Gunter, C.A., Jim, T.: Policy-directed certificate retrieval. Software: Practice & Experience 30(15), 1609–1640 (2000)zbMATHCrossRefGoogle Scholar
  7. 7.
    Jha, S., Reps, T.: Analysis of SPKI/SDSI certificates using model checking. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop, pp. 129–144. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  8. 8.
    Jim, T.: SD3: A trust management system with certified evaluation. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 106–115. IEEE Computer Society Press, Los Alamitos (2001)CrossRefGoogle Scholar
  9. 9.
    Kanellakis, P.C., Kuper, G.M., Revesz, P.Z.: Constraint query languages. Journal of Computer and System Sciences 51(1), 26–52 (1995)CrossRefMathSciNetGoogle Scholar
  10. 10.
    Li, N., Mitchell, J.C.: Datalog with constraints: A foundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  12. 12.
    Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11(1), 35–86 (2003)Google Scholar
  13. 13.
    Ramakrishnan, R.: Magic templates: a spellbinding approach to logic programs. Journal of Logic Programming 11(3-4), 189–216 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Revesz, P.Z.: Constraint databases: A survey. In: Thalheim, B. (ed.) Semantics in Databases 1995. LNCS, vol. 1358, pp. 209–246. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Rivest, R.L., Lampson, B.: SDSI — a simple distributed security infrastructure (October 1996), available at:
  16. 16.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  17. 17.
    Toman, D.: Memoing evaluation for constraint extensions of Datalog. Constraints: An International Journal 2, 337–359 (1997)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ziqing Mao
    • 1
  • Ninghui Li
    • 1
  • William H. Winsborough
    • 2
  1. 1.CERIAS and Department of Computer SciencePurdue University 
  2. 2.Department of Computer ScienceUniversity of Texas at San Antonio 

Personalised recommendations