Information Technology Reference
In-Depth Information
Keynote [8], SPKI [4], DL [11], RT [12] and Cassandra [10]. In the introduction
section, we have briefly reviewed some of the related work. Now we give further
comparison of our work with some highly related work.
PolicyMaker allows arbitrary programs to be used in credentials and policies. Key-
note uses a special assertion language to define delegation policies. However, both
PolicyMaker and Keynote do not provide mechanisms to control the privilege prolif-
eration during delegation. RT [12] is a family of role-based trust management lan-
guages whose semantics are built upon Datalog rules. RT supports boolean control
over delegation of role authorities. The role intersections in RT can be viewed as a
kind of constraint on the scope of delegation targets. However, RT can only enforce
these delegation constraints for management-level AS. REAL05 supports the delega-
tion constraints on the scope of mediate delegatees, upper-bound of delegation depth
and the scope of delegation targets for both management-level AS and access-level
AS.
RT
C
[13] is a constrained version of RT for fine-grained control of structured re-
sources, which adopts Datalog
C
as the logical foundation. RT
C
does not introduce new
delegation constraints into existing RT framework. RT
C
only supports equality and
range constraints on role parameters. REAL05 supports inequality constraints as well
as equality and range constraints on both role parameters and predicate parameters.
The semantics of RT
C
follows the approach in RT0, which translates each credential
into a Datalog
C
rule. REAL05 uses meta rules to capture the general semantics of
policies, which can be extended to express more general constraints from the perspec-
tive of the whole system. Although the meta-rule approach will be a little more time-
consuming than credential-rule-translating approach, our simulation results show that
the performance is practically acceptable.
Cassandra [10] expresses policies in a language based on Datalog
C
[15], which
bears some similarities to our system. The expressiveness of Cassandra (and its com-
putational complexity) can be tuned by choosing an appropriate constraint domain.
The rules in Cassandra can refer to remote policies (for automatic credential retrieval
and trust negotiation). However, Cassandra does not embed any delegation control
mechanism in its reserved semantics. For example, the integer control on delegation is
totally managed by security administrators in Cassandra, which will easily lead to
mistakes in security management.
B. C. Neumann uses restricted proxy model [1] to support a variety of restrictions
on authorization and delegation, including
grantee
,
for-use-by-group
,
issued-for
,
quota
,
authorized
,
group-membership
,
accept-once
. But the restricted proxy model
does not provide restriction specification and semantics computation. Some of these
restrictions can be expressed by REAL05. For example, the
authorized
restriction can
be viewed as an access-level constraint on delegation targets. To support other restric-
tions such as
accept-once
, REAL05 need to be extended and collaborate with other
security mechanisms such as session management facilities.
REAL05 can be viewed as a successor of REAL04 [18], a role-based extensible
authorization framework proposed by the authors in 2004. REAL05 extends REAL04
to support many new features: (a) three types of roles to express the collections of
permissions, authorities and session capabilities; (b) constraints on delegation targets
and delegation depth; (c) using rules to define policies. The approaches to define the
semantics of REAL04 and REAL05 are also different: REAL04 adopts the credential-
