Abductive Authorization Credential Gathering

A central task in the context of logic-based decentralized authorization languages is that of gathering credentials from credential providers, required by the resource guard’s policy to grant a user’s access request. This paper presents an abduction-based algorithm that computes a specification of missing credentials without communicating with remote credential providers. The specification is used to gather credentials from credential providers in a single pass, without involving any communication with the resource guard. The credentials gathered thus are pushed to the resource guard at authorization time. This approach decouples authorization from credential gathering, and, in comparison to server-side pull methods, reduces the number of messages sent between participants, and allows for environments in which some credential providers are unknown or unavailable to the resource guard at authorization time.

[1]  Antonis C. Kakas,et al.  The role of abduction in logic programming , 1998 .

[2]  Lujo Bauer,et al.  Efficient Proving for Practical Distributed Access-Control Systems , 2007, ESORICS.

[3]  Moritz Y. Becker,et al.  An Abductive Protocol for Authorization Credential Gathering in Distributed Systems , 2009 .

[4]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[6]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[7]  Carl A. Gunter,et al.  Policy‐directed certificate retrieval , 2000 .

[8]  Ninghui Li,et al.  Towards practical automated trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[9]  Fabio Massacci,et al.  Interactive Access Control for Web Services , 2004, SEC.

[10]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..