Abstract
Public-key infrastructures (PKIs) that support both identity certificates and access control (e.g., attribute, delegation) certificates are increasingly common. We argue that these PKIs must a lso support revocation and review policies that are typical of more traditional access control systems; e.g., selective and transitive certificate revocation, and per-object access review. Further, we show that PKIs that eliminate identity certificates, such as the SPKI, resolve only selective revo cation problems and, at the same time, make access review more complex.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
M. Abadi, M. Burrows, B. Lampson, and G. D. Plotkin, A Calculus for Access Control in Distributed Systems, ACM Transactions on Programming Languages and Systems, Vol. 15, No. 4, September 1993, pp. 706–734
C. M. Ellison. SPKI Certificate documentation, http://www.clark.net/pub/cme/ html/spki.html, 1998.
V. D. Gligor, Review and Revocation of Access Privileges Distributed Through Capabilities, IEEE Transactions on Software Engineering, Vol. 5, No. 6, November 1979, pp. 575–586.
V. D. Gligor and S. I. Gavrila, Application-Oriented Security Policies and their Composition, in Proceedings of Security Protocols 6th International Workshop. Cambridge, UK, April 1998.
V. D. Gligor, S. I. Gavrila, and D. Ferraiolo, On the Formal Definition of Separation-of-Duty Policies and their Composition, Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, California, May 1998.
R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public Key Infrastructure: Certificate and CRL Profile (draft-ietf-pkix-ipki-part1-08.txt). PKIX Working Group. Internet Draft. June 16, 1998.
S. Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management, RFC 1422, IAB IRTF PSRG, IETF PEM WG, Feb 1993.
B. Lampson, M. Abadi, M. Burrows and E. Wobber, Authentication in distributed systems: Theory and Practice. ACM Transactions on Computer Systems 10(4):265–310, November 1992.
S. Micali. Efficient Certificate Revocation. Technical Memo MIT/LCS/TM-542b, Massachusetts Institute of Technology, Laboratory for Computer Science, Mar. 1996.
M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams. X.509 Internet Public Key Infrastructure: Online Certificate Status Protocol-OCSP (draft-ietf-pkix-ocsp-03.txt). PKIX Working Group. Internet Draft. March 1998.
R. L. Rivest and B. Lampson. SDSI-a simple distributed security infrastructure. (See SDSI web page at http://theory.lcs.mit.edu/cis/sdsi.html.)
S. Stubblebine and R. Wright. An Authentication Logic Supporting Synchronization, Revocation, and Recency, Third ACM Conference on Computer and Communications Security, New Delhi, India, March, 1996, pp. 95–105.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Khurana, H., Gligor, V.D. (2001). Review and Revocation of Access Privileges Distributed with PKI Certificates. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds) Security Protocols. Security Protocols 2000. Lecture Notes in Computer Science, vol 2133. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44810-1_15
Download citation
DOI: https://doi.org/10.1007/3-540-44810-1_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42566-3
Online ISBN: 978-3-540-44810-5
eBook Packages: Springer Book Archive