Flexible Treatment of Certificate Revocation Under Communal Access Control

The conventional approach to distributed access-control (AC) tends to be servercentric. Under this approach, each server establishes its own policy regarding the use of its resources and services by its clients. The choice of this policy, and its implementation, are generally considered the prerogative of each individual server. This approach to access-control may be appropriate for many current client-server applications, where the server is an autonomous agent, in complete charge of its resources. But it is not suitable for the growing class of applications where a group of servers, and sometimes their clients, belong to a single enterprise, and are subject to the enterprise-wide policy governing them all. One may not be able to entrust such an enterprise-wide policy to the individual servers, for two reasons: First, it is hard to ensure that an heterogeneous set of servers implement exactly the same policy. Second, as we will argue, an AC policy can have aspects that cannot, in principle, be implemented by servers alone. It is our thesis that what is needed in this situation is a concept of communal policy that governs the interaction between the members of a distributed community of agents involved in some common activity, along with a mechanism that provides for the explicit formulation of such policies, and for their scalable enforcement. This paper focuses on the communal treatment of expiration and revocation of the digital certificates used for the authentication of the identity and roles of members of the community.