Explicit Delegation Using Configurable Cookies

  • David Llewellyn-JonesEmail author
  • Graeme Jenkinson
  • Frank Stajano
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10368)


Password sharing is widely used as a means of delegating access, but it is open to abuse and relies heavily on trust in the person being delegated to. We present a protocol for delegating access to websites as a natural extension to the Pico protocol. Through this we explore the potential characteristics of delegation mechanisms and how they interact. We conclude that security for the delegator against misbehaviour of the delegatee can only be achieved with the cooperation of the entity offering the service being delegated. To achieve this in our protocol we propose configurable cookies that capture delegated permissions.



We are grateful to the European Research Council for funding this research through grant StG 307224 (Pico). We also thank the workshop attendees for comments.


  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). CrossRefGoogle Scholar
  2. 2.
    Bauer, L., Cranor, L.F., Reiter, M.K., Vaniea, K.: Lessons learned from the deployment of a smartphone-based access-control system. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS 2007, pp. 64–75. ACM (2007)Google Scholar
  3. 3.
    CESG: Password guidance: simplifying your approach. CESG, CPNI, January 2016.
  4. 4.
    Christianson, B.: Living in an impossible world: real-izing the consequences of intransitive trust. Philos. Technol. 26(4), 411–429 (2013)CrossRefGoogle Scholar
  5. 5.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation, pp. 167–176. IEEE, August 2005Google Scholar
  6. 6.
    Jenkinson, G., Spencer, M., Warrington, C., Stajano, F.: I bought a new security token and all I got was this Lousy Phish—relay attacks on visual code authentication schemes. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 197–215. Springer, Cham (2014). doi: 10.1007/978-3-319-12400-1_19 Google Scholar
  7. 7.
    Lenhart, A., Lewis, O., Rainie, L.: Teenage life online: the rise of the instant-message generation and the internets impact on friendships and family relationships, June 2001.
  8. 8.
    Palfrey, J., Sacco, D.T., Boyd, D., DeBonis, L., Tatlock, J.: Enhancing child safety and online technologies, December 2008.
  9. 9.
    Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password sharing: implications for security design based on social practice, p. 895904. In: CHI 2007. ACM (2007).
  10. 10.
    Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25867-1_6 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • David Llewellyn-Jones
    • 1
    Email author
  • Graeme Jenkinson
    • 1
  • Frank Stajano
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations