Abstract
In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.
Chapter PDF
Similar content being viewed by others
References
OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0 (January 15, 2005)
ISO 9594-8/ITU-T Rec. X.509, The Directory: Public-key and attribute certificate frameworks (2001)
Cantor, S.: Shibboleth Architecture, Protocols and Profiles, Working Draft 02 (September 22, 2004), see: http://shibboleth.internet2.edu/
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)
Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir) EduPerson Specification (200312) (December 2003), available from: http://www.nmi-edit.org/eduPerson/internet2-mace-dir-eduperson-200312.html
C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, T. Ylonen. “SPKI Certificate Theory”. RFC 2693 (September 1999)
OASIS eXtensible Access Control Markup Language (XACML) v2.0 (December 6, 2004), available from: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Bandmann, O., Dam, M., Sadighi Firozabadi, B.: Constrained delegation. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 2002, pp. 131–140. IEEE Computer Society Press, Los Alamitos (2002)
Madsen, P.: WS-Trust: Interoperable Security for Web Services (June 2003), available from: http://webservices.xml.com/pub/a/ws/2003/06/24/ws-trust.html
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of the 2003 ACM workshop on XML security, Fairfax, Virginia (October 31-31 2003)
Hommel, W.: Using XACML for Privacy Control in SAML-Based Identity Federations. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 160–169. Springer, Heidelberg (2005)
Alfieri R., et al.: VOMS: an authorization system for virtual organizations, 1st European across grids conference, Santiago de Compostela (February 13-14, 2003), available from: http://grid-auth.infn.it/docs/VOMS-Santiago.pdf
Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Keahey, K.: Identity Federation and Attributebased Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. In: To be presented at NIST PKI Workshop (April 2006)
Clarke, D., Elien, J.-E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)
Elley, Y., Anderson, A., Hanna, S., Mullan, S., Perlman, R., Proctor, S.: Building certificate paths: Forward vs. reverse. In: Proceedings of the 2001 Network and Distributed System Security Symposium (NDSS 2001), pp. 153–160. Internet Society (February 2001)
Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11, 35–86 (2003)
XACML v3.0 administration policy Working Draft 05 (December 2005), http://www.oasis-open.org/committees/documents.php?wgabbrev=xacml
Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280 (April 2002)
Chadwick, D.: Authorisation using Attributes from Multiple Authorities. In: Proceedings of WET-ICE 2006, Manchester, UK (June 2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chadwick, D.W., Otenko, S., Nguyen, T.A. (2006). Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains. In: Leitold, H., Markatos, E.P. (eds) Communications and Multimedia Security. CMS 2006. Lecture Notes in Computer Science, vol 4237. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11909033_7
Download citation
DOI: https://doi.org/10.1007/11909033_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47820-1
Online ISBN: 978-3-540-47823-2
eBook Packages: Computer ScienceComputer Science (R0)