Reasoning about Joint Administration of Access Policies for Coalition Resources
نویسندگان
چکیده
We argue that joint administration of access policies for a dynamic coalition formed by autonomous domains requires that these domains set up a coalition authority that distributes attribute certificates authorizing access to policy objects (e.g., ACLs). Control over the issuance of such certificates is retained by member domains separately holding shares of the joint coalition authority’s private key with which they sign the attribute certificates. Hence, any (proper) subset of the member domains need not be trusted to protect the private key. However, application servers that implement joint administration of access policies based on attribute certificates must trust all the signers of those certificates, namely all member domains of the coalition. To capture these trust relations we extend existing access control logics and show that the extensions are sound. To reason about joint administration of access policies, we illustrate an authorization protocol in our logic for accessing policy objects using threshold attribute certificates.
منابع مشابه
1 Reasoning about Joint Administration of Access Policies for Coalition Resources
We argue that joint administration of access polic ies for a dynamic coalition formed by autonomous domains requires that these domains set up a central author ity that distributes threshold attribute certificat es authorizing access to policy objects (e.g., ACLs). Joint author ity over the issuance of such certificates is retai ned by member domains separately holding shares of the central au ...
متن کاملIntegrated Security Services for Dynamic Coalitions
Coalitions are collaborative networks of autonomous domains where resource sharing is achieved by the distribution of access permissions to coalition members based on negotiated resource-sharing agreements. The focus of our research is on dynamic coalitions, namely, coalitions where member domains may leave or new domains may join during the life of the coalition. We have developed a set of too...
متن کاملA Distributed Service Registry for Resource Sharing Among Ad-Hoc Dynamic Coalitions
In a dynamic coalition environment, it is essential to allow automatic sharing of resources among coalition members. The challenge is to facilitate such sharing while adhering to the security policies of each coalition. To accomplish this, a dynamic coalition-based access control (DCBAC) has been proposed earlier, where security policies enforced by each coalition member are published in a cent...
متن کاملManaging Intelligence Resources Using Semantic Matchmaking and Argumentation
Abstract. Effective deployment and utilisation of limited and constrained intelligence, surveillance and reconnaissance (ISR) resources is seen as a key issue in modern network-centric joint-forces operations. In this chapter, we examine the application of semantic matchmaking and argumentation technologies to the management of ISR resources in the context of coalition operations. We show how o...
متن کاملAutomated Reasoning about XACML 3.0 Delegation Using Answer Set Programming
XACML is an XML-based declarative access control language standardized by OASIS. Its latest version 3.0 has several new features including the concept of delegation for decentralized administration of access control. Though it is important to avoid unintended consequences of ill-designed policies, delegation makes formal analysis of XACML policies highly complicated. In this paper, we present a...
متن کامل