Databases Reference
In-Depth Information
present certificates that are referenced negatively. Instead the resource owner
specifies a credential “collector” [27], which is a software module configured
to know about trusted repositories of negative certificates.
4 Evaluation Problems and Strategies
The trust management engine evaluates authorization queries based on se-
curity policies and credentials. Several issues regarding how such evaluation
proceeds have been addressed in the evolution of modern TM systems. In this
section we consider many of these issues. We defer until Section 5 discussion
of issues that bear on the fact that policy and credentials may themselves
be sensitive. Other issues, notably certificate revocation, we omit altogether.
Topics discussed in this section include the following:
1.
Separating the authorization service from the application pro-
vides several advantages.
Software components that manage security are subject to very high in-
tegrity requirements as their correct functioning is essential to preventing
misuse.
2.
Policies should be written in special-purpose languages, not in
general-purpose programming languages.
This has an obvious impact on the extent to which the trust manage-
ment engine can eciently evaluate authorization queries. Finding lan-
guage constructs that are suciently expressive to enable policy objec-
tives to be met, while simultaneously supporting ecient evaluation, has
been an important factor in the evolution of TM systems.
3.
Credential discovery and retrieval is an essential part of the
authorization problem.
One of the important problems for TM systems is that of finding creden-
tials that are not only issued and revoked in a decentralized manner, but
whose storage is also distributed. In this environment, there is no cen-
tral, well-known directory that records and keeps track of locations for
each credential in the network, and on which entities can rely to retrieve
credentials. If credentials cannot be found when they are needed during
evaluation of authorization queries it is not possible to prevent denying
some access to resources that should be should be permitted.
It is possible to perform query evaluation with distributed credentials ei-
ther by bringing the evaluation process to the remote credentials, and thus
distributing the evaluation process, or by bringing the remote credentials to a
central evaluation point. As we will see in this section, both approaches have
been taken by TM systems. Moreover, there are alternatives with respect to
where to locate credentials; at a minimum, they can naturally be located with
their issuer or with their subject. However, permitting this flexibility raises
challenges for ensuring that all credentials can be found by the evaluation
