Databases Reference
In-Depth Information
if the student ID includes personally sensitive information, it should be the
student who decides whether to give her ID to the store. Secondly, there may
be thousands of services that are offered to students, and the university may
not be interested in assisting these transactions.
One of the contributions of
RT
[49] was to devise the first scheme that
permits credentials to be stored either at their issuers or at their subjects.
RT
differs from QCM and SD3 by performing the evaluation process locally
and relying on remote servers only to provide credentials relevant to the eval-
uation process. The evaluation process is based on constructing a graph that
represents relationships between different
role expressions
, which is to say, be-
tween different principals, roles, linked roles, and intersections. Proofs of role
membership are certain subgraphs called
chains
. Nodes in the graph are given
by role expressions. Edges represent credentials, as well as some derived rela-
tionships. A path connecting two role expressions indicates set containment
of the first role expression in the other.
Evaluation of the query asking whether
D
is a member of
A.r
begins by
introducing nodes representing these two entities and proceeds by adding inci-
dent edges. This requires locating the credentials represented by those edges.
Speaking very intuitively, credentials are identified as being relevant to extend-
ing the graph based on the principals appearing in the nodes. Unfortunately,
when trying to extend the graph by including edges incident to a given node,
unless the corresponding credentials are stored by principals identified by the
node, it is not clear who has the credential. So the evaluation procedure may
not be able to find all the credentials that exist and that, if found, would
participate in a proof of authorization. (It should be noted that
RT
's notion
of a principal is assumed to provide sucient information to locate credentials
stored “by” the principal.)
We use an example from [49] to better illustrate this problem. Consider
the
RT
0
credentials shown in Table 1, which are referred to by number in
the following. A fictitious web publishing server, EPub, offers a discount to
preferred customers of its parent organization EOrg (3). EOrg considers uni-
versity students to be preferred customers (6). EOrg delegates authority to
identify universities to FAB, a Fictitious Accrediting Board (4). The univer-
sity StateU is accredited by FAB (1). StateU delegates authority to identify
students to RegistrarB, which is the registrar of one of StateU's campuses (5).
RegistrarB has issued a credential to Alice stating that Alice is a student (2).
These credentials form a chain that shows Alice belongs to EPub.discount.
The chain consists of three parts (the expressions are now nodes and the
arrows are now edges):
Part (a): EPub
.
discount
←−
EOrg
.
preferred
←−
EOrg
.
university
.
student
Part (b): EOrg
.
university
←−
FAB
.
accredited
←−
StateU
Alice
It is natural that credential (4) is a local policy of EOrg and of limited
interest to FAB. So it should be stored at its issuer EOrg. Similarly, credentials
(3), (5) and (6) should be stored at their issuers. On the other hand, Alice
Part (c): StateU
.
student
←−
RegistrarB
.
student
←−
