Name
Abstract | ||
|---|---|---|
We describe an architecture for secure, independent, interworking services (Oasis). Each service is made responsible for the classification of its clients into named roles, using a formal logic to specify precise conditions for entering each role. A client becomes authenticated by presenting credentials to a service that enable the service to prove that the client conforms to its policy for entry to a particular role. During authentication a data structure is created that embodies the proof. An authenticated client is issued a role membership certificate (RMC) for its subsequent use with that service. An RMC is an encryption-protected capability which includes the role name, the identity of the principal to which it was issued and a reference to the issuing service. A proof rule of one service may refer to an authenticated user of another; that is, an RMC issued by one service may be required as a credential during authentication by another. A dynamic proof tree may thus be built which exhibits amongst other things the trust relationships between the services which the client has entered. The paper shows how a service may define a set of proof rules (Horn clauses) that specify who may use it and in what way. Delegation of rights may be expressed naturally within these rules. It goes on to present the design details of the system. The system is inherently decentralised and has a tuneable reaction to network or server failure which allows services to make appropriate decisions when authorization or revocation information is unavailable. A prototype system has been implemented and tested |
Year | DOI | Venue |
|---|---|---|
1998 | 10.1109/SECPRI.1998.674819 | IEEE Symposium on Security and Privacy |
Keywords | Field | DocType |
Horn clauses,authorisation,client-server systems,cryptography,internetworking,message authentication,open systems,theorem proving,Horn clauses,Oasis,RMC,access control,authenticated client,authenticated user,authorization,client authentication,credentials,data structure,decentralised system,delegation of rights,dynamic proof tree,encryption-protected capability,formal logic,interworking services,named roles,open distributed environment,proof rule,revocation information,role membership certificate,role name,server failure,trust relationship,tuneable reaction | Public key infrastructure,Distributed Computing Environment,Computer science,Public key certificate,Web access,Computer security,Access control,Privilege Management Infrastructure,Authorization certificate | Conference |
ISSN | ISBN | Citations |
1081-6011 | 0-8186-8386-4 | 51 |
PageRank | References | Authors |
9.80 | 4 | 3 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Richard Hayton | 1 | 219 | 33.10 |
| Bacon, J.M. | 2 | 51 | 9.80 |
| Ken Moody | 3 | 935 | 85.75 |