Abstract
Recently assertions have been explored as a generalisation of certificates within access control. Assertions are used to link arbitrary attributes (e.g. roles, security clearances) to arbitrary entities (e.g. users, resources). These attributes can then be used as identifiers in access control policies to refer to groups of users or resources.
In many applications attribute management does not happen within the access control system. External entities manage attribute assignments and issue assertions that are then used in the access control system. Some approaches also allow for the delegation of attribute authority, in order to spread the administrative workload. In such systems the consumers of attribute assertions issued by a delegated authority need a delegation verification scheme.
In this article we propose a classification for schemes that allow to verify delegated authority, with a focus on attribute assertion. Using our classification, one can deduce some advantages and drawbacks of different approaches to delegated attribute assertion.
This work was carried out during the tenure of an ERCIM “Alain Bensoussan” Fellowship Programme.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Godik, S., Moses, T., (eds.).: eXtensible Access Control Markup Language (XACML). Standard, Organization for the Advancement of Structured Information Standards (OASIS) (2003), http://www.oasis-open.org/committees/xacml
Nagaratnam, N., Janson, P., Dayka, J., Nadalin, A., Siebenlist, F., Welch, V., Tuecke, S., Foster, I.: Security Architecture for Open Grid Services. Technical report, GGF OSGA Security Workgroup, Revised 6/5/2003 (2002), available from https://forge.gridforum.org/projects/ogsa-sec-wg
Bandmann, O., Dam, M., Firozabadi, B.S.: Constrained Delegation. In: Proceedings of 2002 IEEE Symposium on Security and Privacy, Oakland, CA, USA (2002)
Firozabadi, B.S., Sergot, M., Bandmann, O.: Using Authority Certificates to Create Management Structures. In: Proceedings of Security Protocols, 9th International Workshop, Cambridge, UK, pp. 134–145 (2001)
Maler, E., Mishra, P., Philpott, R., (eds.).: The OASIS Security Assertion Markup Language (SAML) v1.1. Standard, Organization for the Advancement of Structured Information Standards (OASIS) (2003), http://www.oasis-open.org
Navarro, G., Firozabadi, B.S., Rissanen, E., Borrell, J.: Constrained delegation in XML-based Access Control and Digital Rights Management Standards. In: Proceedings of the IASTED International Conference on Communication, Network, and Information Security, New York, USA (2003)
Wang, J., Vecchio, D.D., Humphrey, M.: Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services. In: Proceedings of the International Conference on Web Services, Orlando, Florida, USA (2005)
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. Request For Comments (RFC) 3281, Internet Egnineering Task Force (IETF) (2002), http://www.ietf.org/rfc/rfc3281.txt
PKIX Working Group: Public Key Infrastructure (X.509). Technical report, Internet Engineering Task Force (IETF) (2002), http://www.ietf.org/html.charters/pkix-charter.html
Lorch, M., Kafura, D.: Supporting Secure Ad-hoc User Collaboration in Grid Environments. In: Proceedings of the 3rd International Workshop on Grid Computing, Baltimore, MD, USA, pp. 181–193. Springer, Heidelberg (2002)
Lorch, M., Adams, D., Kafura, D., Koneni, M., Rathi, A., Shah, S.: The PRIMA System for Privilege Management, Authorization and Enforcement. In: Proceedings of the 4th International Workshop on Grid Computing, Phoenix, AR, USA, pp. 109–116. IEEE Computer Society, Los Alamitos (2003)
Chadwick, D., Otenko, A.: The PERMIS X.509 Role Based Privilege Management Infrastructure. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, Monterey, CA, USA, pp. 135–140. ACM Press, New York (2002)
Chadwick, D.: Delegation Issuing Service. In: NIST 4th Annual PKI Workshop, Gaithersberg, USA, 62–73 Available from: g.pdf (2005), http://middleware.internet2.edu/pki05/proceedings/chadwick-delegation-issuin
Rissanen, E., Lockhart, H., Moses, T., (eds.).: XACML v3.0 administrative policy. Standard, Organization for the Advancement of Structured Information Standards (OASIS) (2006), http://www.oasis-open.org/committees/xacml
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Seitz, L., Rissanen, E., Sadighi, B. (2007). A Classification of Delegation Schemes for Attribute Authority. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds) Formal Aspects in Security and Trust. FAST 2006. Lecture Notes in Computer Science, vol 4691. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75227-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-75227-1_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75226-4
Online ISBN: 978-3-540-75227-1
eBook Packages: Computer ScienceComputer Science (R0)