Scalability Issues in PMI Delegation

The Canadian Department of National Defence (DND) is shifting its methods for the delegation and exercise of authority from paper-based to electronic-based means. DND has deployed a commercial PKI but there is no general technical solution presently employed by DND for access control or electronic authorization of workflow in distributed processing environments. The aim of this research is to show how an authorization system, or privilege management infrastructure (PMI), can be used to support business processes DND. The results are expected to be applicable to large enterprises in general. The research demonstrates how ITU-T standard X.509 can be used to support DND authority and delegation models. The investigation involves the analysis of the key authorizations within a specific DND problem domain. The X.509 standard and concepts from role-based access control form the basis of the PMI design. This involves the use of attribute certificates to control the specification and delegation of privileges. A novel interpretation of X.509 attribute certificates is proposed that provides separate hierarchies of responsibility for the management and delegation of roles. The results provide insight into, and quantification of, the complexity of the resulting delegation chains. The use of a roles based model for delegation is seen as being important to the scaling of PMI to service large enterprises with mature, complex authority structures. If the processing complexity can be managed, the flexibility of being able to model the actual privilege delegation paths in an organization is an advantage of a rolebased model.