Physical Sciences and Mathematics Commons^™

A Formal Semantics For Spki, Jon Howell, David Kotz

Dartmouth Scholarship

We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.

End-To-End Authorization, Jon Howell, David Kotz

Dartmouth Scholarship

Many boundaries impede the flow of authorization information, forcing applications that span those boundaries into hop-by-hop approaches to authorization. We present a unified approach to authorization. Our approach allows applications that span administrative, network, abstraction, and protocol boundaries to understand the end-to-end authority that justifies any given request. The resulting distributed systems are more secure and easier to audit. \par We describe boundaries that can interfere with end-to-end authorization, and outline our unified approach. We describe the system we built and the applications we adapted to use our unified authorization system, and measure its costs. We conclude that our system …

Restricted Delegation: Seamlessly Spanning Administrative Boundaries, Jon Howell, David Kotz

Dartmouth Scholarship

Historically and currently, access control and authentication is managed through ACLs. Examples include:

• the list of users in /etc/password, the NIS passwd map, or an NT domain

• permissions on Unix files or ACLs on NT objects

• a list of known hosts in .ssh/known hosts

• a list of IP addresses in .rhosts (for rsh) or .htaccess (http)

The limitations of ACLs always cause problems when spanning administrative domains (and often even inside administrative domains). The best example is the inability to express transitive sharing. Alice shares read access to object X with Bob (but not access to …