An Authentication Service for Open Network Systems. In

26 In this paper, we have omitted discussion of many of the more practical details due to length limitation. For example, the problems of consistency (due to cache invalidation and certiicate expiration), group membership maintenance and propagation of authorization must be addressed in an implementation. A prototype implementation of our design is currently under way. We have nished implementing an authentication substrate upon which our authorization service operates. We are now mainly focused on nding eecient evaluation strategies for GACL. We plan to report our implementation results in a future paper, which would also address the practical details mentioned above. For future work, we are considering the following directions: (1) To develop a better understanding of anonymous authorization. In particular, a Principle of Minimal Identity (i.e., a client should be allowed to supply only the minimal identiication required to obtain authorization) should be formulated and studied. (2) To design an incremental update procedure so that an authorization server can incorporate new authorizations from an end server in an eecient manner. (3) To develop compilation strategies for the GACL language. (4) To propose and study an API for integrating our authorization service into application programs. 25 for services that manage a large number of objects with complex dependencies. Its formal semantics facilitates the implementation of diierent evaluation strategies that can interop-erate. The use of a declaration section is novel. It provides directives for choosing the most eecient evaluation strategy. For example, an unordered gacl can potentially make use of direct hashing in its evaluation, while an ordered gacl allows a partial evaluation strategy. The language of policy base proposed in 20] is more general than GACL (in particular, it subsumes rst-order logic) and has a much more abstract semantics. The GACL language is intended to be practical, and can indeed express the basic structural properties identiied in 20], though not in their full generality. Moreover, the semantics of GACL is more procedural, as opposed to the declarative nature of the semantics of the language of policy base. The use of a declaration section also adds to the practicality of GACL. Authenticated delegation has been used and studied in other works 2, 4, 6, 15]. Most of these works, with the notable exception of Neuman's 15], concentrates on the authentication and operational aspects of delegation rather than its application. The work reported in 2, 6] presents a formal understanding of authenticated delegation. …