Chapter 9 Credentials - based Authorization
نویسنده
چکیده
A set can be defined intensionally by specifying properties required of all its members or it can be defined extensionally by enumerating its elements. For example, the set of people authorized to enter a nightclub might be characterized intensionally by giving a minimum required age or characterized extensionally by providing a guest list. The DAC and MAC authorization policies we have been studying enumerate principals (with privileges), so they are extensionallydefined policies. As a result, these authorization policies do not provide a useful explanation about why a given request is or is not authorized. An intensionally-defined authorization policy would supply such an explanation because, by definition, authorization is decided by checking whether certain properties are satisfied. The properties that needed to be satisfied but aren’t constitute the explanation for why a given request is not authorized. Properties on which we might base an authorization decision include
منابع مشابه
Consumable Credentials in Logic-Based Access-Control Systems
We present a method to implement consumable credentials in a logic-based distributed authorization system. Such credentials convey use-limited authority (e.g., to open a door once) or authority to utilize resources that are themselves limited (e.g., concert tickets). We design and implement mechanisms to enforce the consumption of credentials in a distributed system, and to protect credentials ...
متن کاملConsumable Credentials in Logic-Based Access Control
We present a framework to support consumable credentials in a logic-based distributed authorization system. Such credentials convey use-limited authority (e.g., to open a door once) or authority to utilize resources that are themselves limited (e.g., to spend money). We design a framework based on linear logic to enforce the consumption of credentials in a distributed system, and to protect cre...
متن کاملAn Abductive Protocol for Authorization Credential Gathering in Distributed Systems
The problem of authorization in large-scale decentralized systems has been addressed by a number of logic-based policy languages utilizing delegation of authority and distributed security credentials. A central task in this context is that of gathering a set of credentials for a given access request. Previous approaches have focused on methods in which credentials are pulled on-demand from cred...
متن کاملConsumable Credentials in Linear-Logic-Based Access-Control Systems
We present a method to implement consumable credentials in a logic-based distributed authorization system. Such credentials convey use-limited authority (e.g., to open a door once) or authority to utilize resources that are themselves limited (e.g., concert tickets). We design and implement mechanisms to enforce the consumption of credentials in a distributed system, and to protect credentials ...
متن کاملCustomizing Distributed Proofs of Authorization
When identity-based authorization becomes difficult due to the scalability requirements and highly dynamic nature of open distributed systems, digitally certifiable attributes can be an effective basis for specifying authorization policies. Before an authorization decision is made in such a system, a client needs to collect a set of credentials to prove that it satisfies the authorization polic...
متن کامل