Authorization in trust management: Features and foundations

ACM Computing Surveys

Volumn 40, Issue 3, 2008, Pages

  Chapin, Peter C ^a,b   Skalka, Christian ^a,b   Wang, X Sean ^a,b  

^a UNIVERSITY OF VERMONT   (United States)

^b University of Vermont   (United States)

Author keywords

Distributed authorization; Trust management systems

Indexed keywords

ACCESS RIGHTS; DISTRIBUTED AUTHORIZATION; DISTRIBUTED SYSTEMS; GENERIC STRUCTURES; SECURITY PROPERTIES; TRUST MANAGEMENT; TRUST MANAGEMENT SYSTEMS;

INFORMATION THEORY;

FOUNDATIONS;

EID: 49449101262     PISSN: 03600300     EISSN: 15577341     Source Type: Journal    
DOI: 10.1145/1380584.1380587     Document Type: Article

References (94)

1. ABADI, M. 1998. On SDSI's linked local name spaces. J. Comput. Secur. 6, 1-2, 3-21.
2. ABADI, M. 2003. Logic in access control. In Proceedings of the 18th IEEE Symposium on Logic in Computer Science.
3. ABADI, M., BURROWS, M., LAMPSON, B., AND PLOTKIN, G. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15, 4, 706-734.
4. AJMANI, S., CLARKE, D. E., MOH, C.-H., AND RICHMAN, S. 2002. ConChord: Cooperative SDSI certificate storage and name resolution. In International Workshop on Peer-to-Peer Systems.
5. APPEL, A. W. AND FELTEN, E. W. 1999. Proof-carrying authentication. In Proceedings of the 6th ACM Conference on Computer and Communications Security. ACM Press, 52-62.
6. BACON, J., MOODY, K., AND YAO, W. 2002. A model of OASIS role-based access control and its support for active security. ACM Trans. Inform. Syst. Secur. 5, 4, 492-540.
7. BAUER, L. 2003. Access control for the web via proof-carrying authorization. Ph.D. thesis, Princeton University.
8. BAUER, L., SCHNEIDER, M. A., AND FELTEN, E. W. 2002. A general and flexible access-control system for the Web. In Proceedings of the 11th USENIX Security Symposium. 93-108.
9. BECKER, M. Y. 2005. Cassandra: Flexible trust management and its application to electronic health records. Tech. rep. 648, University of Cambridge.
10. BECKER, M. Y. AND SEWELL, P. 2004a. Cassandra: Distributed access control policies with tunable expressiveness. In Proceedings of the 5th IEEE International Workshop on Policies for Distributed Systems and Networks.
11. BECKER, M. Y. AND SEWELL, P. 2004b. Cassandra: Flexible trust management, applied to electronic health records. In Proceedings of the 17th IEEE Computer Security Foundations Workshop.
12. BERTINO, E., CATANIA, B., FERRARI, E., AND PERLASCA, P. 2003. A logical framework for reasoning about access control models. ACM Trans. Inform. Syst. Secur. 6, 1, 71-127.
13. BLAZE, M., FEIGENBAUM, J., IOANNIDIS, J., AND KEROMYTIS, A. D. 1999a. RFC-2704: The keyNote trustmanagement system version 2. Internet Engineering Task Force.
14. BLAZE, M., FEIGENBAUM, J., IOANNIDIS, J., AND KEROMYTIS, A. D. 1999b. The role of trust management in distributed systems security. In Secure Internet Programming: Security Issues for Mobile and Distributed Objects. Springer-Verlag, 185-210.
15. BLAZE, M., FEIGENBAUM, J., AND LACY, J. 1996. Decentralized trust management. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 164-173.
16. BLAZE, M., FEIGENBAUM, J., AND STRAUSS, M. 1998. Compliance checking in the policymaker trust management system. In Proceedings of the 2nd International Conference on Financial Cryptography. Springer-Verlag, 254-274.
17. BLAZE, M., IOANNIDIS, J., AND KEROMYTIS, A. D. 2002. Trust management for IPsec. ACM Trans. Inform. Syst. Secur. 5, 2, 95-118.
18. BLAZE, M., IOANNIDIS, J., AND KEROMYTIS, A. D. 2003. Experience with the keynote trust management system: Applications and future directions. In Proceedings of the 1st International Conference on Trust Management. Springer-Verlag, 284-300.
19. BONATTI, P. AND OLMEDILLA, D. 2005a. Policy language specification. REWERSE Deliverable I2-D2, http://rewerse.net/ deliverables.html.
20. BONATTI, P. AND SAMARATI, P. 2000. Regulating service access and information release on the Web. In Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM Press, 134-143.
21. BONATTI, P. AND SAMARATI, P. 2002. A unified framework for regulating access and information release on the Web. J. Comput. Secur. 10, 3, 241-272.
22. BONATTI, P. AND SAMARATI, P. 2003. Logics for authorizations and security. In Logics for Emerging Applications of Databases, J. Chomicki, R. van der Meyden, and G. Saake, Eds. Springer-Verlag.
23. BONATTI, P. A. AND OLMEDILLA, D. 2005b. Driving and monitoring provisional trust negotiation with metapolicies. In IEEE 6th International Workshop on Policies for Distributed Systems and Networks. Stockholm, Sweden.
24. BONATTI, P. A., OLMEDILLA, D., AND PEER, J. 2006. Advanced policy queries. In Proceedings of the 17th European Conference on Artificial Intelligence. IOS Press, 200-204.
25. BURROWS, M., ABADI, M., AND NEEDHAM, R. M. 1990. Alogic of authentication. ACM Trans. Comput. Syst. 8, 1, 18-36.
26. CHU, Y.-H., FEIGENBAUM, J., LAMACCHIA, B., RESNICK, P., AND STRAUSS, M. 1997. REFEREE: Trust management for Web applications. World Wide Web J. 2, 3, 127-139.
27. CLARKE, D., ELIEN, J.-E., ELLISON, C., FREDETTE, M., MORCOS, A., AND RIVEST, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secur. 9, 4, 285-322.
28. DETREVILLE, J. 2002a. Binder, a logic-based security language. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society.
29. DETREVILLE, J. 2002b. Making certificates programmable. In Proceedings of the 1st Annual PKI Workshop. Hanover, NH.
30. DIMMOCK, N., BELOKOSZTOLSZKI, A., EYERS, D., BACON, J., AND MOODY, K. 2004. Using trust and risk in role-based access control policies. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies. ACM Press, 156-162.
31. EITER, T., GOTTLOB, G., AND MANNILA, H. 1997. Disjunctive datalog. ACM Trans. Datab. Syst. 22, 3, 364-418.
32. ELLISON, C., FRANTZ, B., LAMPSON, B., RIVEST, R., THOMAS, B., AND YLONEN, T. 1999. RFC-2693: SPKI certificate theory. Internet Engineering Task Force.
33. FERRAIOLO, D. AND KUHN, R. 1992. Role-based access controls. In 15th NIST-NCSC National Computer-Security Conference. 554-563.
34. GAVRILOAIE, R., NEJDL, W., OLMEDILLA, D., SEAMONS, K. E., AND WINSLETT, M. 2004. No registration needed: How to use declarative policies and negotiation to access sensitive resources on the semantic Web. In Proceedings of the 1st European Semantic Web Symposium. Lecture Notes in Computer Science, vol. 3053. Springer, 342-356.
35. GUNTER, C. A. AND JIM, T. 1997. Design of an application-level security infrastructure. In Proceedings of the DIMACS Workshop on Design and Formal Verification of Security Protocols.
36. GUNTER, C. A. AND JIM, T. 2000a. Generalized certificate revocation. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 316-329.
37. GUNTER, C. A. AND JIM, T. 2000b. Policy-directed certificate retrieval. Softw. Prac. Exper. 30, 15, 1609-1640.
38. GUNTER, C. A., JIM, T., AND WANG, B.-Y. 1997. Authenticated data distribution using query certificate managers, unpublished extended abstract.
39. HALPERN, J. AND VAN DER MEYDEN, R. 1999. A logic for SDSI's linked local name spaces. In Proceedings of the 12th IEEE Computer Security Foundations Workshop. 111-122.
40. HALPERN, J. Y AND VAN DER MEYDEN, R. 2001. A logical reconstruction of SPKI. In Proceedings of the 14th IEEE Computer Security Foundations Workshop. 59-70.
41. HAYTON, R. J., BACON, J. M., AND MOODY, K. 1998. OASIS: Access control in an open distributed environment. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 3-14.
42. HERZBERG, A., MASS, Y., MICHAELI, J., NAOR, D., AND RAVID, Y. 2000. Access control meets public key infrastructure, or: Assigning roles to strangers. In Proceedings of the IEEE Symposium on Security and Privacy.
43. HINE, J. A., YAO, W., BACON, J., AND MOODY, K. 2000. An architecture for distributed OASIS services. In Proceedings of IFIP/ACM International Conference on Distributed Systems Platforms (Middleware'00). Springer-Verlag, 104-120.
44. HOWELL, J. 2000. Naming and sharing resrouces across administrative boundaries. Ph.D. thesis, Dartmouth College.
45. HOWELL, J. AND KOTZ, D. 2000. A formal semantics for SPKI. Tech. rep. 2000-363, Dartmouth College.
46. International Telecommunications Union. 2000. Information Technology-Open Systems Interconnection-The Directory: Public Key and Attribute Certificate Frameworks. International Telecommunications Union.
47. International Telecommunications Union 2001. Information Technology-Open Systems Interconnection-The Directory: Overview of Concepts, Models, and Services. International Telecommunications Union.
48. JAFFAR, J. AND MAHER, M. J. 1994. Constraint logic programming: A survey. J. Logic Program. 19/20, 503-581.
49. JAJODIA, S., SAMARATI, P., SAPINO, M. L., AND SUBRAHMANIAN, V. S. 2001. Flexible support for multiple access control policies. ACM Trans. Datab. Syst. 26, 2, 214-260.
50. JHA, S. AND REPS, T. 2002. Analysis of SPKI/SDSI certificates using model checking. In Proceedings of the 15th IEEE Computer Security Foundations Workshop. IEEE Computer Society, 129.
51. JIM, T. 2001. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society.
52. JIM, T. AND SUCIU, D. 2001. Dynamically distributed query evaluation. In Proceedings of the 20th ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems. ACM Press, 28-39.
53. LI, N. 2000. Local names in SPKI/SDSI. In Proceedings of the 13th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 2-15.
54. LI, N. AND FEIGENBAUM, J. 2002. Nonmonotonicity, user interfaces, and risk assessment in certificate revocation. In Proceedings of the 5th International Conference on Financial Cryptography. Springer-Verlag, 166-177.
55. LI, N., GROSOF, B. N., AND FEIGENBAUM, J. 2003. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inform. Syst. Secur. 6, 1, 128-171.
56. LI, N. AND MITCHELL, C. 2006. Understanding spki/sdsi using first-order logic. Int. J. Inform. Secur. 5, 1, 48-64.
57. LI, N. AND MITCHELL, J. C. 2003a. Datalog with constraints: A foundation for trust management languages. In Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages.
58. LI, N. AND MITCHELL, J. C. 2003b. RT: A role-based trust-management framework. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition. IEEE Computer Society Press, 201-212.
59. LI, N., MITCHELL, J. C., AND WINSBOROUGH, W. H. 2002. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 114-130.
60. LI, N., MITCHELL, J. C., AND WINSBOROUGH, W. H. 2005. Beyond proof-of-compliance: Security analysis in trust management. J. ACM 52, 3, 474-514.
61. LI, N., WINSBOROUGH, W. H., AND MITCHELL, J. C. 2003. Distributed chain discovery in trust management. J. Comput. Secur. 11, 1, 35-86.
62. LIU, Y. D. AND SMITH, S. 2002. A component security infrastructure. In Proceedings of the Foundations of Computer Security Workshop.
63. MCDANIEL, P. AND RUBIN, A. D. 2001. A response to "can we eliminate certificate revocation lists?". In Proceedings of the 4th International Conference on Financial Cryptography. Springer-Verlag, 245-258.
64. NECULA, G. C. 1997. Proof-carrying code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, 106-119.
65. NIKANDER, P. AND VILJANEN, L. 1998. Storing and retrieving internet certificates. In Proceedings of the 3rd Nordic Workshop on Secure IT Systems.
66. OASIS. 2006a. OASIS eXtensible access control markup language technical committee. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
67. OASIS. 2006b. OASIS security services technical committee, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.
68. OASIS. 2006c. OASIS Web services security technical committee, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.
69. OFFICE OF TECHNOLOGY ASSESSMENT. 1993. Protecting Privacy in Computerized Medical Information. OTA-TCT-576. U.S. Government Printing Office.
70. POLAKOW, J. AND SKALKA, C. 2006. Specifying distributed trust management in LolliMon. In Proceedings of the ACM Workshop on Programming Languages and Analysis for Security.
71. RESNICK, P. AND MILLER, J. 1996. PICS: Internet access controls without censorship. Comm. ACM 39, 10, 87-93.
72. RIVEST, R. L. 1998. Can we eliminate certificate revocation lists? In Proceedings of the 2nd International Conference on Financial Cryptography. Springer-Verlag, 178-183.
73. RIVEST, R. L. AND LAMPSON, B. 1996a. SDSI-A simple distributed security infrastructure. version 1.0. http://theory.les.mit. edu/~rivest/sdsi10.html.
74. RIVEST, R. L. AND LAMPSON, B. 1996b. SDSI-A simple distributed security infrastructure. version 1.1. http://theory.lcs.mit. edu/~rivest/sdsi11.html.
75. SANDHU, R. S., COYNE, E. J., FEINSTEIN, H. L., AND YOUMAN, C. E. 1996. Role-based access control models. Computer 29, 2, 38-47.
76. SEAMONS, K., WINSBOROUGH, W., AND WINSLETT, M. 1997. Internet credential acceptance policies. In Proceedings of the Workshop on Logic Programming for Internet Applications. Leuven, Belgium.
77. SEAMONS, K., WINSLETT, M., AND YU, T. 2001. Limiting the disclosure of access control policies during automated trust negotiation.
78. SEAMONS, K., WINSLETT, M.,YU, T., SMITH, B., CHILD, E., JACOBSON, J., MILLS, H., ANDYU, L. 2002. Requirements for policy languages for trust negotiation. In Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks. IEEE Computer Society, 68.
79. SIMON, R. T. AND ZURKO, M. E. 1997. Separation of duty in role-based environments. In Proceedings of the 10th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 183-194.
80. SKALKA, C., WANG, X. S., AND CHAPIN, P. 2007. Risk management for distributed authorization. J. Comput. Secur. 15, 4, 447-489.
81. STUBBLEBINE, S. 1995. Recent-secure authentication: Enforcing revocation in distributed systems. In Proceedings of the 1995 IEEE Symposium on Security and Privacy. IEEE Computer Society, 224-235.
82. STUBBLEBINE, S. G. AND WRIGHT, R. N. 1996. An authentication logic supporting synchronization, revocation, and recency. In Proceedings of the 3rd ACM Conference on Computer and Communications Security. ACM Press, 95-105.
83. TOMAN, D. 1997. Memoing evaluation for constraint extensions of datalog. Constraints 2, 337-359.
84. WEEKS, S. 2001. Understanding trust management systems. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 94.
85. WINSBOROUGH, W. H. AND LI, N. 2002. Towards practical automated trust negotiation. In Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks. IEEE Computer Society.
86. WINSBOROUGH, W. H. AND LI, N. 2004. Safety in automated trust negotiation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 147.
87. WINSBOROUGH, W. H., SEAMONS, K. E., AND JONES, V. E. 2000. Automated trust negotiation. In Procedings of the DARPA Information Survivability Conference and Exposition. Vol. 1. IEEE Computer Society, 88-102.
88. WINSLETT, M., CHING, N., JONES, V., AND SLEPCHIN, I. 1997. Assuring security and privacy for digital library transactions on the Web: Client and server security policies. In Proceedings of the IEEE International Forum on Research and Technology Advances in Digital Libraries. IEEE Computer Society, 140-151.
89. WINSLETT, M., YU, T., SEAMONS, K. E., HESS, A., JACOBSON, J., JARVIS, R., SMITH, B., ANDYU, L. 2002. Negotiating trust on the Web. IEEE Intern. Comput. 6, 6, 30-37.
90. WOBBER, E., ABADI, M., BURROWS, M., AND LAMPSON, B. 1993. Authentication in the TAOS operating system. SIGOPS Operat. Syst. Rev. 27, 5, 256-269.
91. WOO, T. Y. C. AND LAM, S. S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Secur. 2, 2-3, 107-136.
92. XSB INC. 2006. XSB home page, http://xsb.sourceforge.net.
93. YU, T., MA, X., AND WINSLETT, M. 2000. PRUNES: An efficient and complete strategy for automated trust negotiation over the internet. In Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM Press, 210-219.
94. YU, T., WINSLETT, M., AND SEAMONS, K. E. 2001. Interoperable strategies in automated trust negotiation. In Proceedings of the 8th ACM Conference on Computer and Communications Security. ACM Press, 146-155.