Databases Reference
In-Depth Information
other servers that might be able to provide additional relevant credentials.
The lowest level just returns relevant credentials held locally.
When one TM system replies to another, integrity and authenticity are
normally provided by signing the reply. There are two approaches to sign-
ing: on-line signing and off-line signing. Online signing enables the server to
sign extensional answers as they are generated. Off-line signing requires the
server to return a set of credentials previously signed off line. Off-line sign-
ing protects the server's private key, but at the same time requires frequent
synchronization and coordination between the trust management server and
the off-line signer. Additionally, intentional answers typically require clients
to verify more signatures. (QCM uses a technique based on hash trees to
decrease the overhead of signing credentials, especially when the set of cre-
dentials is very large. This may also reduce the overall effort required to verify
credentials in some cases.) QCM allows different servers to choose different
signing solutions because neither off-line signing nor on-line signing can be
clearly proven superior to the other.
Another issue that must be managed in distributed evaluation arises as a
result of cyclic dependencies among the definitions of predicate (
i.e.
, relation)
symbols. These can easily lead to repeated subqueries to remote hosts and, if
unchecked, can result in nontermination. Two techniques have been proposed
to mitigate this problem. QCM [25] uses a timer to detect whether there is
a cycle dependency or anything that may have gone wrong if no response is
returned within a time-out limit. However, it is not clear what an appropriate
time-out period is, so it may possibly lead to denying access to requests that
should be authorized. SD3 [32] tags each query with a set of sites that are
waiting for it to terminate, so it can always be checked whether the destination
site is in this set and may cause a cycle. This method is simple, but may be
time consuming and costly in bandwidth.
4.5 Local Evaluation with Distributed Credentials
QCM and its successor SD3 were the first TM systems to address the problem
of evaluating authorization policy when credentials (policy statements) are not
only issued and revoked in a decentralized manner, but their storage is also
distributed. These systems showed that credentials could be stored with their
issuers and located as needed during evaluation. In this way it is possible to
ensure that every credential in every proof of authorization can be discovered
when needed (under basic availability assumptions regarding the network and
relevant servers), and thus that it is possible to grant access to all entities that
should be authorized according to the set of currently valid policy statements.
However, the assumption that credentials be stored exclusively with their
issuers is quite restrictive. In many applications it is more appropriate to
store some credentials with their subjects. For example, when a store offers
discounts to students at the University of Texas, it may not be reasonable to
expect that the university will provide the credentials (student IDs). Firstly,
