Certificate-based authorization policy in a PKI environment

The major emphasis of public key infrastructure has been to provide a cryptographically secure means of authenticating identities. However, procedures for authorizing the holders of these identities to perform specific actions still need additional research and development. While there are a number of proposed standards for authorization structures and protocols such as KeyNote, SPKI, and SAML based on X.509 or other key-based identities, none have been widely adopted. As part of an effort to use X.509 identities to provide authorization in highly distributed environments, we have developed and deployed an authorization service based on X.509 identified users and access policy contained in certificates signed by X.509 identified stakeholders. The major goal of this system, called Akenti, is to produce a usable authorization system for an environment consisting of distributed resources used by geographically and administratively distributed users. Akenti assumes communication between users and resources over a secure protocol such as transport layer security (TLS) to provide mutual authentication with X.509 certificates. This paper explains the authorization model and policy language used by Akenti, and how we have implemented an Apache authorization module to provide Akenti authorization.

[1]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[2]  John G. Myers Simple Authentication and Security Layer (SASL) , 1997, RFC.

[3]  Lawrence C. Stewart,et al.  An Extension to HTTP : Digest Access Authentication , 1997, RFC.

[4]  C.M. Pancerella,et al.  The Diesel Combustion Collaboratory: Combustion Researchers Collaborating over the Internet , 1999, ACM/IEEE SC 1999 Conference (SC'99).

[5]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[6]  William E. Johnston,et al.  The reality of collaboratories , 1998 .

[7]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[8]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[9]  R ThompsonMary,et al.  Certificate-based authorization policy in a PKI environment , 2003 .

[10]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[11]  Simon S. Lam,et al.  A framework for distributed authorization , 1993, Conference on Computer and Communications Security.

[12]  Ian Foster,et al.  The Grid 2 - Blueprint for a New Computing Infrastructure, Second Edition , 1998, The Grid 2, 2nd Edition.

[13]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[14]  Ami Marowka,et al.  The GRID: Blueprint for a New Computing Infrastructure , 2000, Parallel Distributed Comput. Pract..

[15]  Ian T. Foster,et al.  Computational Grids in action: the National Fusion Collaboratory , 2002, Future Gener. Comput. Syst..

[16]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[17]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[18]  Carl M. Ellison,et al.  SPKI Requirements , 1999, RFC.

[19]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[20]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[21]  Tatyana Ryutov,et al.  Access Control Framework for Distributed Applications , 2000 .

[22]  R C Slack,et al.  What is a community? , 1998, Public health.

[23]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[24]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[25]  陈晓林,et al.  Keynote trust management及其在主动网络中的应用 , 2004 .

[26]  G. Gheorghiu,et al.  An authorization framework for metacomputing applications , 1999, Cluster Computing.

[27]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[28]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[29]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[30]  Amin Vahdat,et al.  The CRISIS Wide Area Security Architecture , 1998, USENIX Security Symposium.

[31]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[32]  E. James Whitehead,et al.  HTTP Extensions for Distributed Authoring - WEBDAV , 1999, RFC.

[33]  Peter Wainwright Professional Apache , 1999 .

[34]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .