A Revocation, Validation and Authentication Protocol for SPKI Based Delegation Systems

Yki Kortesniemi
Helsinki University of Technology,
Department of Computer Science,
FIN-02015 HUT, Espoo, Finland

Tero Hasu
Helsinki University of Technology,
Department of Computer Science,
FIN-02015 HUT, Espoo, Finland

Jonna Särs
Nixu Oy
Mäkelänkatu 91
FIN-00610 Helsinki, Finland

Abstract

In distributed systems, the access control mechanism is often modeled after stand-alone solutions, such as ACLs. Such arrangement, however, is not ideal as the system may be mirrored around the world and maintaining the ACLs becomes a problem. A new approach to this problem is using authorisation certificates to control access to resources. This diminishes management overhead, but introduces problems with revocation.

A related problem is enforcing quotas in distributed systems. Traditionally, authorisation certificates just limit the usage interval, but not the volume. In this paper, we discuss these problems in SPKI based delegation systems and propose some refinements to the SPKI specification. In particular, we address the problem of limiting the usage of resources to which a certificate grants access. Finally, we develop a protocol for solving these problems using online revocation and validation.

BibTeX

@inproceedings{KorHasSar00,
author = "Yki Kortesniemi and Tero Hasu and Jonna S{\"a}rs",
title = "A Revocation, Validation and Authentication Protocol for
         {SPKI} Based Delegation Systems",
booktitle = {Proceedings of Network and Distributed System Security Symposium (NDSS)},
address = {San Diego, California, USA},
month = Feb,
year = 2000
}