Authorization policy in a PKI environment

The major emphasis of Public Key Infrastructure has been to provide a cryptographically secure means of authenticating identities. While there are a number of proposed standards for authorization structures and protocols based on X.509 or other key-based identities, none have been widely adopted. As part of an effort to use X.509 identities to provide authorization in highly distributed environments, we have developed and deployed an authorization service based on X.509 identified users and access policy contained in certificates signed by X.509 identified stakeholders. The major goal of this system, called Akenti, is to produce a usable authorization system for an environment consisting of distributed resources used by geographically and administratively distributed users.

[1]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[2]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[3]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[4]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2002, RFC.

[5]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[6]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[7]  Ian T. Foster,et al.  Computational Grids in action: the National Fusion Collaboratory , 2002, Future Gener. Comput. Syst..

[8]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[9]  E. James Whitehead,et al.  HTTP Extensions for Distributed Authoring - WEBDAV , 1999, RFC.

[10]  C.M. Pancerella,et al.  The Diesel Combustion Collaboratory: Combustion Researchers Collaborating over the Internet , 1999, ACM/IEEE SC 1999 Conference (SC'99).

[11]  Ian Foster,et al.  The Grid 2 - Blueprint for a New Computing Infrastructure, Second Edition , 1998, The Grid 2, 2nd Edition.

[12]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[13]  John G. Myers Simple Authentication and Security Layer (SASL) , 1997, RFC.