Abstract
New key-oriented discretionary access control systems are based on delegation of access rights with public-key certificates. This paper explains the basic idea of delegation certificates in abstract terms and discusses their advantages and limitations. We emphasize decentralization of authority and operations. The discussion is based mostly on the SPKI certificates but we avoid touching implementation details. We also describe how threshold and conditional certificates can add flexibility to the system. Examples are given of access control between intelligent networks services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
MartÃn Abadi. On SDSI’s linked local name spaces. In Proc. 10th IEEE Computer Security Foundations Workshop, pages 98–108, Rockport, MA, June 1997. IEEE Computer Society Press.
MartÃn Abadi, Michael Burrows, Butler Lampson, and Gordon Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706–734, September 1993.
Tuomas Aura. Fast access control decisions from delegation certificate databases. In Proc. 3rd Australasian Conference on Information Security and Privacy ACISP’ 98, volume 1438 of LNCS, pages 284–295, Brisbane, Australia, July 1998. Springer Verlag.
Tuomas Aura. On the structure of delegation networks. In Proc. 11th IEEE Computer Security Foundations Workshop, pages 14–26, Rockport, MA, June 1998. IEEE Computer Society Press.
Tuomas Aura and Dieter Gollmann. Software license management with smart cards. In Proc. USENIX Workshop on Smartcard Technology, Chicago, May 1999. USENIX Association.
Tuomas Aura, Petteri Koponen, and Juhana Räsänen. Delegation-based access control for intelligent network services. In Proc. ECOOP Workshop on Distributed Object Security, Brussels, Belgium, July 1998.
D. Elliott Bell and Leonard. J. LaPadula. Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, The Mitre Corporation, Bedford MA, USA, March 1976.
Matt Blaze, Joan Feigenbaum, John Ioannidis, and Angelos D. Keromytis. The role of trust management in distributed systems security. In J. Vitek and C. Jensen, editors, Secure Internet Programming: Security Issues for Distributed and Mobile Objects, LNCS. Springer-Verlag Inc, New York, NY, USA, 1999.
Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In Proc. 1996 IEEE Symposium on Security and Privacy, pages 164–173, Oakland, CA, May 1996. IEEE Computer Society Press.
Matt Blaze, Joan Feigenbaum, and Martin Strauss. Compliance checking in the PolicyMaker trust management system. In Proc. Financial Cryptography 98, volume 1465 of LNCS, pages 254–271, Anguilla, February 1998. Springer.
David F. Brewer and Michael J. Nash. The Chinese wall security policy. In Proc. IEEE Symposium on Research in Security and Privacy, pages 206–214, Oakland, CA, May 1989. IEEE Computer Society Press.
Recommendation X.509, The Directory-Authentication Framework, volume VIII of CCITT Blue Book, pages 48–81. CCITT, 1988.
Carl M. Ellison. Establishing identity without certification authorities. In Proc. 6th USENIX Security Symposium, pages 67–76, San Jose, CA, July 1996. USENIX Association.
Carl M. Ellison, Bill Franz, Butler Lampson, Ron Rivest, Brian M. Thomas, and Tatu Ylönen. SPKI certificate theory, Simple public key certificate, SPKI examples. Internet draft, IETF SPKI Working Group, November 1997.
Carl M. Ellison, Bill Franz, Butler Lampson, Ron Rivest, Brian M. Thomas, and Tatu Ylönen. SPKI certificate theory. Internet draft, IETF SPKI Working Group, October 1998.
M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson. The digital distributed system security architecture. In Proc. National computer security conference, pages 305–319, Baltimore, MD, USA, October 1989.
Li Gong. A secure identity-based capability system. In Proc. 1989 IEEE Symposium on Research in Security and Privacy, pages 56–63, Oakland, CA, May 1989. IEEE, IEEE Computer Society Press.
J. Kohl and C. Neuman. The Kerberos network authentication service (V5). RFC 1510, IETF Network Working Group, September 1993.
Petteri Koponen, Juhana Räsänen, and Olli Martikainen. Calypso service architecture for broadband networks. In Proc. IFIP TC6 WG6.7 International Conference on Intelligent Networks and Intelligence in Networks. Chapman & Hall, September 1997.
Ilari Lehti and Pekka Nikander. Certifying trust. In Proc. First International Workshop on Practice and Theory in Public Key Cryptography PKC’98, volume 1431 of LNCS, Yokohama, Japan, February 1998. Springer.
Nataraj Nagaratnam and Doug Lea. Secure delegation for distributed object environments. In Proc. 4th USENIX Conference on Object-Oriented Technologies and Systems (COOTS), pages 101–115, Santa Fe, NM, April 1998. USENIX Association.
A guide to understanding discretionary access control in trusted systems. Technical Report NCSC-TG-003 version-1, National Computer Security Center, September 1987.
Pekka Nikander and Lea Viljanen. Storing and retrieving Internet certificates. In Proc. 3rd Nordic Workshop on Secure IT Systems NORDSEC’98, Trondheim, Norway, November 1998.
Ronald L. Rivest and Butler Lampson. SDSI — A simple distributed security infrastucture. Technical report, April 1996.
Edward P. Wobber, MartÃn Abadi, Michael Burrows, and Butler Lampson. Authentication in the Taos operating system. ACM Transactions on Computer Systems, 12(1):3–32, February 1994.
Philip Zimmermann. The Official PGP User’s Guide. MIT Press, June 1995.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Aura, T. (1999). Distributed Access-Rights Management with Delegation Certificates. In: Vitek, J., Jensen, C.D. (eds) Secure Internet Programming. Lecture Notes in Computer Science, vol 1603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48749-2_9
Download citation
DOI: https://doi.org/10.1007/3-540-48749-2_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66130-6
Online ISBN: 978-3-540-48749-4
eBook Packages: Springer Book Archive