Federation Web: a scheme to compound authorization chains on large-scale distributed systems

Traditional security systems are not easily scalable and can become single points of failure or performance bottlenecks when used on a large-scale distributed system such as the Internet. This problem occurs also when using a public key infrastructure (PKI) with a hierarchical thrust model. SDSI/SPKI is a PKI that adopts a more scalable trust paradigm, which is focused on the client and based on authorization chains. However, the task of locating the chain that links a client to a server is not completely addressed by SDSI/SPKI. Aiming to overcome this limitation, the paper proposes extensions to the SDSI/SPKI authorization and authentication model. The proposed approach introduces the concept of Federation Webs, which allows the client to build new authorization chains linking it to a server when a direct path does not exist. A prototype implementation of this proposal has shown promising results.

[1]  Tuomas Aura,et al.  Fast Access Control Decisions from Delegation Certificate Databases , 1998, ACISP.

[2]  Dwaine E. Clarke,et al.  SPKI/SDSI HTTP Server / Certificate Chain Discovery in SPKI/SDSI , 2001 .

[3]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[4]  Pekka Nikander,et al.  Storing and Retrieving Internet Certificates , 1998 .

[5]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[6]  Ninghui Li,et al.  Local names in SPKI/SDSI , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[7]  Simson L. Garfinkel,et al.  PGP: Pretty Good Privacy , 1994 .

[8]  Sameer Ajmani,et al.  A trusted execution platform for multiparty computation , 2000 .

[9]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[10]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[11]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Proceedings 22nd International Symposium on Reliable Distributed Systems , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[13]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[14]  Horst F. Wedde,et al.  Modular authorization , 2001, SACMAT '01.

[15]  Tuomas Aura,et al.  On the structure of delegation networks , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).