Adding support to XACML for multi-domain user to user dynamic delegation of authority

International Journal of Information Security

Volumn 8, Issue 2, 2009, Pages 137-152

  Chadwick, David W ^a   Otenko, Sassa ^b   Nguyen, Tuan Anh ^a  

^a UNIVERSITY OF KENT   (United Kingdom)

^b ORACLE CORPORATION   (United States)

Author keywords

Credential validation service; Delegation of authority; RBAC; XACML

Indexed keywords

DIRECTION OF ARRIVAL; MANAGEMENT; RADIO DIRECTION FINDING SYSTEMS; VENDING MACHINES;

CREDENTIAL VALIDATION SERVICE; DELEGATION OF AUTHORITY; MULTI DOMAINS; PERFORMANCE MEASUREMENTS; RBAC; ROLE-BASED ACCESS CONTROL MODELS; USER DYNAMICS; XACML;

ACCESS CONTROL;

EID: 60849106239     PISSN: 16155262     EISSN: 16155270     Source Type: Journal    
DOI: 10.1007/s10207-008-0073-y     Document Type: Article

References (28)

1. OASIS eXtensible Access Control Markup Language (XACML), v2.0, 6 December 2004. http://www.oasis-open.org/committees/ tc_home.php?wg_abbrev=xacml
2. Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of the 2003 ACM Workshop on XML Security. Fairfax, Virginia (2003)
3. Hommel, W.: Using XACML for privacy control in SAML-based identity federations. In: Ninth IFIP TC-6 TC-11 Conference on Communications and Multimedia Security (CMS 2005). Springer, Salzburg (2005)
4. López, G., Cánovas, Ó., Gómez-Skarmeta, A.F.: Use of XACML policies for a Network Access Control Service. In: Zhou, J., et al. (eds.) Applied Public Key Infrastructure. Proceedings of Fourth International Workshop for Applied PKI, IWAP 05. IOS Press, Singapore (2005)
5. ANSI: Information technology - Role Based Access Control. ANSI INCITS 359-2004
6. OASIS: Core and hierarchical role based access control (RBAC) profile of XACML v2.0. February 2005
7. XACML v3.0 administration policy Working Draft 16 February 2007. http:// www.oasis-open.org/committees/documents.php?wgabbrev=xacml
8. http://dictionary.reference.com/search?q=delegate
9. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. RFC 2693, September 1999
10. Alfieri R., Cecchini R., Ciaschini V., Dell'Agnello L., Frohner A., Lorentey K., Spataro M.: From gridmap-file to VOMS: managing authorization in a Grid environment. Future Gener. Comput. Syst. 21(4), 549-558 (2005)
11. Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Keahey, K.: Identity federation and attribute-based authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. In: Presented at NIST PKI Workshop, April 2006. http://middleware.internet2.edu/pki06/proceedings/welch-idfederation.pdf
12. Chadwick, D.: Authorisation using attributes from multiple authorities. In: Proceedings of WET-ICE 2006, June 2006, Manchester, UK
13. OASIS: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0, 15 January 2005
14. ISO 9594-8/ITU-T Rec. X.509: The Directory: Public-key and Attribute Certificate Frameworks (2001)
15. Cantor, S.: Shibboleth Architecture, Protocols and Profiles. Working Draft 02, 22 September 2004. http://shibboleth.internet2.edu/
16. Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir): EduPerson Object Class Specification (200604), 14 April 2006. http://www.nmi-edit.org/eduPerson/ internet2-mace-dir-eduperson-200604.html
17. Bandmann, O., Dam, M., Sadighi Firozabadi, B.: Constrained delegation. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 131-140. IEEE Computer Society Press, Oakland (2002)
18. Globus Toolkit Homepage. http://globus.org/toolkit/
19. Madsen, P.: WS-Trust: Interoperable Security for Web Services. June 2003. http://webservices.xml.com/pub/a/ws/2003/06/24/ws-trust.html
20. Chadwick, D.W., Su, L., Laborde, R.: Use of XACML Request Context to Obtain an Authorisation Decision, Open Grid Forum Working Draft, 31 March 2008. http://forge.gridforum.org/sf/go/doc15169?nav=1
21. Chadwick, D.W., Su, L.: Use of WS-TRUST and SAML to access a CVS. Open Grid Forum Working Draft, 11 June 2008. http://forge.gridforum.org/sf/go/ doc15253?nav=1
22. Li N., Winsborough W.H., Mitchell J.C.: Distributed credential chain discovery in trust management. J. Comput. Secur. 11, 35-86 (2003)
23. Chadwick, D.W., Anthony, S.: Using WebDAV for improved certificate revocation and publication. In: LCNS 4582, Public Key Infrastructure. Proceedings of Fourth European PKI Workshop, pp. 265-279. Palma de Mallorca, Spain (2007)
24. Clarke D., Elien J.-E., Ellison C., Fredette M., Morcos A., Rivest R.L.: Certificate chain discovery in SPKI/SDSI. J. Comput. Secur. 9(4), 285-322 (2001)
25. Elley, Y., Anderson, A., Hanna S., Mullan S., Perlman, R., Proctor, S.: Building certificate paths: Forward vs. reverse. In: Proceedings of the 2001 Network and Distributed System Security Symposium (NDSS'01), pp. 153-160. Internet Society, USA (2001)
26. Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 3280, April 2002
27. The Shewhart Control Chart. http://www.itl.nist.gov/div898/handbook/mpc/ section2/mpc221.htm
28. Nguyen, T.-A., Chadwick, D., Nasser, B.: Recognition of authority in virtual organisations. In: Lambrinoudakis, C., Pernul, G., Min Tjoa, A. (eds.) Trust, Privacy & Security in Digital Business, vol. 4657, pp. 3-13. LCNS (2007)