Databases Reference
In-Depth Information
infrastructure (PKI) systems, such as X.509 or PGP, which bind public keys
to identities, certificates and credentials in TM systems do not typically bind
public keys to identities, but rather to other information on which authoriza-
tion decisions are based.
In the early TM systems PolicyMaker [11] and KeyNote [9], the informa-
tion bound to a key by a credential is essentially an authorization to use a
specific resource. In this sense they are quite similar to
capabilities
,which
were first introduced by Dennis and Van Horn [20] in the context of operating
systems to specify what privileges (
e.g.
, a set of actions on certain objects
in the operating systems) the
holder
(
e.g.
, subjects in operating systems) of
the capability may use. A delegated capability is copied (or moved) from one
holder to another.
Just as the holder of a car key can start the corresponding car, whomever
holds a capability can use the privileges it specifies. While an operating sys-
tem can rely on protected memory to implement assignment and delegation of
privileges, in TM systems, credentials are used to bind capabilities to public
keys. Credentials may optionally also grant the right to further delegate the
capability. Chains of such credentials can be used to document a sequence of
delegations of privileges from the resource owner to the requester, and thus
can prove that the requester indeed is authorized for the requested resource.
Each credential in the chain is signed by using the public key in the previ-
ous credential; the first is signed by the resource owner or his designee. The
requester proves she is the authorized entity by answering challenges or oth-
erwise demonstrating possession of the public key in the last credential in the
chain.
When privileges are specified directly in the credentials, the authorization
decision is quite simple. However, additional expressive power can greatly fa-
cilitate scalability in environments such as the Internet where service providers
may wish to authorize large numbers of principals. Managing the delegation
of access rights, for instance, to all students at a given university requires is-
suing a credential to each student for each resource to which they have access
(library, cafeteria, gym,
etc.
). On the other hand, by utilizing credentials that
characterize their owners as being students, the same student ID credential
can be used to authorize a wide range of actions.
Indeed, later TM systems (
e.g.
, to some extent SPKI/SDSI [18, 54, 22], and
certainly RT [46] and Cassandra [5]) use credentials to characterize the holders
of the credentials. These credentials need not contain specific authorizations,
but provide more general
attributes
of the credential holders (
e.g.
, student,
US citizen, licensed driver born in 1960,
etc.
), which can be reused by various
resource owners to make their access control decisions. This enables much
more scalable policy definition. For instance, anyone who is 21 can purchase
alcohol legally. It would be very unsatisfactory to require on-line shoppers to
obtain a credential that can be used solely for purchasing alcoholic beverages
from a specific vender, as a purely capability-based approach would require. A
much more viable solution is to enable all venders of all age-restricted products
