Local names in SPKI/SDSI

We analyze the notion of "local names" in SPKI/SDSI. By interpreting local names as distributed groups, we develop a simple logic program for SPKI/SDSI's linked local-name scheme and prove that it is equivalent to the name-resolution procedure in SDSI 1.1 and the 4-tuple-reduction mechanism in SPKI/SDSI 2.0. This logic program is itself a logic for understanding SDSI's linked local-name scheme and has several advantages over previous logics. We then enhance our logic program to handle authorization certificates, threshold subjects, and certificate discovery. This enhanced program serves both as a logical characterization and an implementation of SPKI/SDSI 2.0's certificate reduction and discovery. We discuss the way SPKI/SDSI uses the threshold subjects and names for the purpose of authorization and show that, when used in a certain restricted way, local names can be interpreted as distributed roles.

[1]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[2]  Tuomas Aura,et al.  Fast Access Control Decisions from Delegation Certificate Databases , 1998, ACISP.

[3]  Joan Feigenbaum,et al.  A practically implementable and tractable delegation logic , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[5]  Butler W. Lampson,et al.  Simple Public Key Certificate , 1998 .

[6]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[7]  Stephen T. Kent,et al.  Internet Privacy Enhanced Mail , 1993, CACM.

[8]  K. A. Ross,et al.  Tabled Evaluation with Delaying for General Logic Programs , 1996 .

[9]  Butler W. Lampson,et al.  Authentication in distributed systems , 1993 .

[10]  David Scott Warren,et al.  The XSB Programming System , 1993, Workshop on Programming with Logic Databases , ILPS.

[11]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[12]  Joseph Y. Halpern,et al.  A logic for SDSI's linked local name spaces: preliminary version , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[15]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[16]  Jean-Emile Elien,et al.  Certificate discovery using SPKI/SDSI 2.0 certificates , 1998 .

[17]  Ronald L. Rivest,et al.  Certificate Chain Discovery in SPKI/SDSI , 2002, J. Comput. Secur..

[18]  Joan Feigenbaum,et al.  A logic-based knowledge representation for authorization with delegation , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.