Babak Sadighi Firozabadi

Using Authority Certificates to Create Management Structures

We address the issue of updating privileges in a dynamic environment by introducing authority certificates in a Privilege Management Infrastructure. These certificates can be used to create access-level permissions but also to delegate authority to other agents, thereby providing a mechanism for creating management structures and for changing these structures over time. We present a semantic framework for privileges and certificates and an associated calculus, encoded as a logic program, for reasoning about them. The framework distinguishes between the time a certificate is issued or revoked and the time for which the associated privilege is created. This enables certificates to have prospective and retrospective effects, and allows us to reason about privileges and their consequences in the past, present, and future. The calculus provides a verification procedure for determining, given a set of declaration and revocation certificates, whether a certain privilege holds.

Contractual Access Control

In this position paper we discuss the issue of enforcing access policies in distributed environments where there is no central system designer/administrator, and consequently no guarantee that policies will be properly implemented by all components of the system. We argue that existing access control models, which are based on the concepts of permission and prohibition, need to be extended with the concept of entitlement. Entitlement to access a resource means not only that the access is permitted but also that the controller of the resource is obliged to grant the access when it is requested. An obligation to grant the access however does not guarantee that it will be granted: agents are capable of violating their obligations. In the proposed approach we discuss a Community Regulation Server that not only reasons about access permissions and obligations, but also updates the normative state of a community according to the contractual performance of its interacting agents.

Towards a mechanism for discretionary overriding of access control

Because it is difficult to predict access needs in advance and the limitations of formal policy languages it is difficult to completely define an access control policy ahead of the actual use. We suggest the use of an policy language which allows for override of denied access in some cases for increased flexibility. The overrides should be audited and we suggest that the access control policy can be used for finding the people who should perform the audit.

Revocation schemes for delegated authorities

We deal with an existing framework for updating privileges and creating management structures by means of authority certificates. These are used both to create access-level permissions and to delegate authority to other agents. Here we extend the framework to support a richer set of revocation schemes. The discussion of revocation follows an existing classification in the literature based on three separate dimensions: resilience, propagation, and dominance. The first one does not apply to this framework. The second one is specified straightforwardly. The third one can be encoded but raises a number of further questions for future investigation.

Using Attribute Certificates for Creating Management Structures

I will start with presenting the motivation behind this work, then I will give some background from where we have borrowed some of the ideas. I will try to connect the ideas and give a complete picture, at the end. I will discuss the notion of delegation and present what we mean by delegation and then give a framework for representing and reasoning about delegations using attribute certificates. This research is funded by Microsoft Research here at Cambridge. OK, so what is the motivation? We have seen several types of application where there is a need for decentralised management of privileges. It is important to mention that we are not talking about distributing privileges, but decentralising management activities within an organisation or between several organisations. We have for example looked at similar type of scenarios that was presented in the talk by Silja and Tuomas earlier1. What they (the military people that we talked to) are interested in is that they don’t want to have a static access control list, because the environment they are working in is changing frequently. They want a model to capture the dynamics of access privileges. The issue is how to make these privileges dynamic and at the same time keep certain control over their updates. In other words the issue is to give flexibility and at the same time keep the control. Let me give you an example from business-to-business type of applications. We were looking at an Extranet system between three companies A, B1, and B2. A is a manufacturer of components to mobile phones and both B1 and B2 are manufacturing mobile phones. The purpose of the system is to give B1 and B2 possibility to order components and do other things through the system. When A tested the system with only 100 users they realised that the administration of access privileges is a big issue. The problem is that both B1 and B2 are large and dynamic organisations. An employee can be involved in several projects and project members can change on daily or weekly basis. This requires an administration on A’s side to update access privileges for employees of B1 and B2. What A is interested in is to let B1 and B2 update their access privileges but again in some controlled way. At the same time B1 and B2 wanted to keep certain information about their organisational structure and their employees secret. This example just illustrates the kind of applications and problems that we are studying. Now I want to discuss some background work and to talk about ideas that we have borrowed from several areas. We distinguish between what we call insti-