An Access-Control Calculus for Spanning Administrative Domains
نویسندگان
چکیده
In our quest to give users uniform access to resources unimpeded by administrative boundaries, we discovered that we needed transitive sharing among users, with the possibility of restricted access along each sharing link. To achieve that goal, we extend Lampson et al.’s calculus for access control to support restricted delegations. We discuss the advantages of our extension, including the simplification of constructs like ACLs and statement expiration. We also apply our extension to model the Simple Public Key Infrastructure and make suggestions about its future development. Our extended calculus exposes some surprising consequences in such systems that use restricted delegation.
منابع مشابه
Negotiating Trust on the Grid
Grids support dynamically evolving collections of resources and users, usually spanning multiple administrative domains. The dynamic and crossorganizational aspects of Grids introduce challenging management and policy issues for controlling access to Grid resources. In this paper we show how to extend the Grid Security Infrastructure to provide better support for the dynamic and cross-organizat...
متن کاملAccess control in ultra-large-scale systems using a data-centric middleware
The primary characteristic of an Ultra-Large-Scale (ULS) system is ultra-large size on any related dimension. A ULS system is generally considered as a system-of-systems with heterogeneous nodes and autonomous domains. As the size of a system-of-systems grows, and interoperability demand between sub-systems is increased, achieving more scalable and dynamic access control system becomes an im...
متن کاملA Typed Process Calculus for Fine-Grained Resource Access Control in Distributed Computation
We propose the π-calculus, a process calculus that can flexibly model fine-grained control of resource access in distributed computation, with a type system that statically prevents access violations. Access control of resources is important in distributed computation, where resources themselves or their contents may be transmitted from one domain to another and thereby vital resources may be e...
متن کاملA Reliable and Secure Application Spanning Multiple Administrative Domains
© A Reliable and Secure Application Spanning Multiple Administrative Domains
متن کاملVegaFS: A Prototype for File-Sharing Crossing Multiple Administrative Domains
Accessing remote resource is a principal challenge of grid computing. For wide-area file sharing, a most difficult problem is the inability to access files distributed in different administrative domains. In this paper, we propose a file system architecture called VegaFS, which is detached from administrative domains entirely and provides cross-domain file access abilities. The main idea is to ...
متن کامل