Databases Reference
In-Depth Information
management system, it had significant impact on the TM system SD3 [32, 33]
proposed by Trevor Jim. One of the main contributions of QCM that can
be adopted by other TM systems is its design of a policy directed certificate
retrieval mechanism [25], which enables the TM evaluator to automatically
detect and identify missing but needed certificates and to retrieve them from
remote certificate repositories. It uses query decomposition and optimization
techniques, and discusses its novel solutions in terms of network security, such
as private key protection methods.
SD3 [32, 33] is the successor of QCM and inherits design features from
QCM, such as the certificate retrieval mechanism in a dynamic decentralized
certificate storage system. The SD3 project aimed to make trust manage-
ment systems easy for applications to use. To this end, SD3 is responsible
for verifying cryptographic signatures. In addition, SD3 has a credential re-
trieval mechanism that enables the evaluation of authorization decisions in
the context of distributed credential storage. (We return to this in Section 4.)
Finally, in order to guarantee returning a correct answer, SD3 implements
certified evaluations, in which a checker checks the evaluator's outcome be-
fore passing it to the calling application. Together these features ensure that
calling applications need only specify policy, without worrying about how it
is enforced.
SD3 enables application developers to write policy statements in an ex-
tended Datalog that introduces a notion of name space in which predi-
cates and relations are defined. It extends Datalog with SDSI names. For
example, consider the following SD3 rule, which expresses the recursive
case in the definition of the transitive closure (
T
) of the edge relation
E
:
“
T
(
x, y
)
:-
K
$
E
(
x, y
)
,T
(
y, z
)”. Here
K
is a public key,
E
is a
local relation
name
, defined in
K
's name space, and
K
$
E
is a
global relation name
,the
definition of which is independent of the point of evaluation. The presence of
this rule in a rule base associated with a given name space says that the pair
(
x, y
) is in the the local relation
T
if it is in
K
's
E
relation. SD3 also allows an
IP address
A
to be paired with its global name, such as (
K
@
A
)$
E
,inwhich
A
is the IP address of an evaluation service operated by the principal that has
public key
K
. The address assists in locating the evaluation agent and rule
base associated with
K
, though the authenticity of the rule base is ensured
by using
K
.
We take this opportunity to introduce some Datalog terminology: the
atomic formula to the left of the
:-
(
T
(
x, y
) in the example) is called the
head
of the rule or
clause
; the comma-separated list of atomic formulas to the
right is called the
body
. These commas represent conjunction.
3.4
RT
The
RT
framework [46, 48, 45] is a family of Role-based Trust-management
languages that combines the strengths of RBAC (Role-Based Access Con-
trol) [1] and the strengths of trust-management systems. Different languages
