Name
Abstract | ||
|---|---|---|
There is a developing need for applications and distributed services to cooperate or inter-operate. Current mechanisms can hide the heterogeneity of host operating systems and abstract the issues of distribution and object location. However, in order for systems to inter-operate securelythere must also be ways to hide differences in security policies, or at least to support negotiation between them.Other proposals for the interworking of security mechanisms have focussed on the enforcement of access policy at the expense of flexibility of expression of policy. This work describes a new architectural approach to security. The key idea is that a processis the universal client entity; a process may act on behalf of an identified individual as in traditional security schemes. More generally, a process may adopt an application-specific name or role, and this is used as the basis for authentication in Oasis. A service may then be written in terms of service-specific categories of clients, decoupled from the mechanisms used to specify and enforce access control policy.This approach allows great flexibility when integrating a number of services, and reduces the mismatch of policies that is common in heterogeneous systems. In addition, Oasis services may be integrated with alternative authentication and access control schemes, providing a truly open architecture.A flexible security definition is meaningless if not backed by a robust and efficient implementation. Oasis has been fully implemented, and is inherently distributed and scalable. In this paper we describe the general approach then concentrate on revocation, where security designs are most often criticised. Oasis is unique in supporting the rapid and selective revocation of privileges which can cascade between services and organisations. |
Year | DOI | Venue |
|---|---|---|
1997 | 10.1109/ICDCS.1997.598061 | Baltimore, MD |
Keywords | Field | DocType |
authorisation,computer network management,internetworking,message authentication,open systems,oasis services,access control policy,access control schemes,alternative authentication,application specific name,architectural approach,authentication,distributed services,flexible security definition,heterogeneous systems,inherently distributed,open architecture,revocation,secure interworking services,security designs,service specific categories,traditional security schemes,universal client entity | Network security policy,Security through obscurity,Distributed System Security Architecture,Computer security,Computer science,Security service,Access control,Security policy,Network Access Control,Computer security model,Distributed computing | Conference |
ISSN | ISBN | Citations |
1063-6927 | 0-8186-7813-5 | 12 |
PageRank | References | Authors |
3.79 | 5 | 2 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Richard Hayton | 1 | 219 | 33.10 |
| Ken Moody | 2 | 935 | 85.75 |