Databases Reference
In-Depth Information
to utilize any suitable credential that the client already happens to have (
e.g.
,
a digital drivers license or passport).
Besides the basic notion of delegation in which one entity gives some of
its access rights to another entity, there are two additional delegation idioms
that are most often discussed in the designs of trust management systems:
ap-
pointment
and
threshold delegation
. In the case of appointment, the appointer
has the (appointment) right to confer on another (the appointee) an attribute
or right that the appointer may not herself have. (In general, the conferred
right can itself be an appointment right.)
Threshold delegation
is also called
k
-out-of-
n
(
n
1) delegation, meaning the authority is dele-
gated to
n
parties, each of which only gets a fragment of it. It is effective only
if at least
k
of these parties issue their requests or exercise their authorities
in concert.
Compliance checking
(also called
policy evaluation
or
query evaluation
)
answers the question: Does a set of credentials prove that a request complies
with the security policy associated with a given resource? The process of eval-
uating a query involves finding a chain of credentials that delegate authority
from the resource owner to the requester. This process is also called
credential
chain discovery
[47]. As we shall see, it can be helpful to imagine credential
chains in graphical terms. To a first approximation, a credential chain can
be thought of as a path from the resource provider to the requester in which
nodes are principals and edges are credentials. However, the details of such
a credential graph depend on the TM system and, in general, a chain may
correspond to a richer subgraph structure.
As mentioned earlier, trust negotiation is the process of establishing bi-
lateral trust at run time. Trust negotiation uses verifiable, unforgeable digital
credentials that describe principals' properties, together with explicit policies
that describe the properties that a principal must possess in order to gain
access to a particular resource. When Alice wishes to access a resource owned
by Bob, she and Bob follow one of many proposed trust negotiation protocols
to determine whether she has the right properties, i.e., whether her credentials
satisfy the policy that Bob has specified for access to that resource.
To show how trust negotiation works, let us consider the scenario in Figure
1. Suppose that Alice wants to purchase prescription medication over the web
from Bob's pharmacy, which she has never visited before.
≥
1and
n
≥
k
≥
Bob's pharmacy sends her its sales policy, which will allow Alice to
make the purchase if she presents a prescription issued to her by a
doctor licensed to practice medicine in Bob's country.
Since Alice has no prior experience with Bob's pharmacy, she tells
Bob that he must prove that he is a licensed pharmacist before she
will reveal her prescription. In response, Bob presents a state-issued
pharmacist's credential. Alice verifies that the credential is properly
signed, and follows a short protocol that allows Bob to prove that he
