The PERMIS X.509 role based privilege management infrastructure

This paper describes the ECPERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users' roles. All access control decisions are driven by an authorisation policy, which is itself stored in an X.509 AC, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorisation policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just three methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs ACs and stores them in an LDAP directory for subsequent use by the ADF.

[1]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[2]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[3]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[4]  Russell Housley,et al.  Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure , 2001 .

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[7]  Srilekha Mudumbai,et al.  Authorization policy in a PKI environment , 2002 .

[8]  Elisa Bertino,et al.  On specifying security policies for web documents with an XML-based language , 2001, SACMAT '01.

[9]  Charles Adams,et al.  Understanding Public-Key Infra-structure: Concepts, Standards, and Deployment Con-siderations , 1999 .

[10]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[11]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[12]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[13]  Jean Bacon,et al.  Access control in an open distributed environment , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[14]  David W. Chadwick,et al.  RBAC Policies in XML for X.509 Based Privilege Management , 2002, SEC.

[15]  William E. Johnston,et al.  Authorization and attribute certificates for widely distributed access control , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[16]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .

[17]  Tatyana Ryutov,et al.  Generic Authorization and Access control Application Program Interface C-bindings , 2000 .

[18]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .