Information Technology Reference
In-Depth Information
rule-translating approach while REAL05 adopts the meta-rule approach. REAL05 is
also powered by a clearly defined constrained delegation model named GCDM.
Compared with REAL04, REAL05 are more flexible and extensible on both syntax
and semantics.
6 Conclusion
“Trust can not be trusted.” We aim to provide a more controllable and practical dele-
gation model for TM systems, which could be used to specify delegation policies not
only between entities that trust each other, but also between entities that (often have
to) cooperate according to application requirements or security policies.
Contributions of this paper includes: (1) proposing a generalized constrained dele-
gation model, giving clear definition of authorization system, delegation tree, delega-
tion depth, delegation constraint, and the semantic model of constrained delegation.
(2) proposing a typed privilege model based on permission activation mechanism,
uncovering the essential difference between
MTP
and
ATP
, and provides means to
avid undesired privilege transition. (3) using spacial constraint to restrict the shape of
delegation trees, including mediate delegatees, delegation targets and upper-bound of
delegation depth. (4) deigning a rule-based policy specification language, using meta
rules to express general policy semantics, which provides a means to enforce more
general policies (such as setting the upper-bound of the delegation depth for all the
delegations in the whole system).
Future work includes: (i) extending GCDM with temporal constraints; (ii) integrat-
ing GCDM model with existing role-based TM systems such as RT [12] and Cassan-
dra [10] to control the potential privilege proliferation in distributed attributes infer-
ence policies [12]; (iii) searching for more efficient credential distribution and distrib-
uted inference algorithms.
Acknowledgements
This research was sponsored by the National Natural Science Foundation under Grant
No.90412011; the National High Technology Development 863 Program of China
(No.2003AA115210; No.2004AA112020). The authors would also like to thank the
anonymous reviewers for their valuable comments which greatly improve the quality
of this paper.
References
1.
Neumann, B.C.: Proxy-Based Authorization and Accounting for Distributed Systems.
Proceedings of the 13th International Conference on Distributed Computing Systems,
Pittsburgh, PA (May 1993)
2.
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems:
Theory and practice. ACM Transactions on Computer Systems, 10(4) (November 1992)
265-310
