Abstract
Collaboration among independent administrative domains would require: i) confidentiality, integrity, non-repudiation of communication between the domains; ii) minimum and reversible modifications to the intra-domain pre-collaboration setup; iii) maintain functional autonomy while collaborating; and, iv) ability to quickly transform from post-collaboration to pre-collaboration stage. In this paper, we put forward our mechanism that satisfies above requirements while staying within industry standards so that the mechanism becomes practical and deployable. Our approach is based on X.509 certificate extension. We have designed a non-critical extension capturing users’ rights in such a unique way that the need for collaboration or the post-collaboration stage does not require update of the certificate. Thus, greatly reducing the revocation costs and size of CRLs. Furthermore, rights amplification and degradation of users from collaborating domains into host domain can be easily performed. Thus, providing functional autonomy to collaborators. Initiation of collaboration among two domains require issuance of one certificate from each domain and revocation of these certificates ends the collaboration – ease of manageability.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Linn, J., Nyström, M.: Attribute certification: an enabling technology for delegation and role-based controls in distributed environments. In: RBAC 1999: Proc. of the 4th ACM workshop on Role-based access control, pp. 121–130 (1999)
Blaze, M., Feigenbaum, J., Strauss, M.: Compliance Checking in the PolicyMaker Trust Management System. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 254–274. Springer, Heidelberg (1998)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote Trust-Management System Version 2. RFC 2704, IETF (1999)
Security Assertion Markup Language. OASIS Std (2005), http://www.oasis-open.org/committees/security
eXtensible Access Control Markup Language. OASIS Std (2005), http://www.oasis-open.org/committees/xacml
Web Services Security v1.1: (OASIS standards) http://www.oasis-open.org/specs/index.php#wssv1.1
Joshi, J.B.D., Bhatti, R., Bertino, E., Ghafoor, A.: Access-control language for multidomain environments. IEEE Internet Computing 8(6), 40–50 (2004)
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)
Li, N., Mitchell, J.C., Winsborough, W., Seamons, K., Halcrow, M., Jacobson, J.: RTML: A Role-based Trust-management Markup Language. Technical report (Purdue University)
Patil, V., Shyamasundar, R.K.: Towards a Flexible Access Control Mechanism for E-Transactions. In: EGCDMAS 2004: International Workshop on Electronic Government, and Commerce: Design, Modeling, Analysis and Security, INSTICC, pp. 66–81 (2004)
ITU X.509 Recommendations: Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks (2005), http://www.itu.int/rec/T-REC-X.509/en
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. RFC 3281, IETF (2002)
Chadwick, D.W., Otenko, A.: The PERMIS X.509 Role Based Privilege Management Infrastructure. In: SACMAT 2002: Proc. of ACM Symp. on Access Control Models & Tech., pp. 135–140 (2002)
Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based Access Control for Widely Distributed Resources. In: 8th USENIX Security Symp., pp. 215–228 (1999)
Jonscher, D., Dittrich, K.R.: Argos – Configurable Access Control System for Interoperable Environments. In: Proc. of the 9th annual IFIP TC11 WG11.3 working conf. on Database security IX: status and prospects, pp. 43–60. Chapman & Hall Ltd, Boca Raton (1996)
Shibboleth (2005), http://shibboleth.internet2.edu/
CAS - Community Authorization Service. The Globus Alliance, http://www.globus.org/grid_software/security/cas.php
Kang, M.H., Park, J.S., Froscher, J.N.: Access Control Mechanisms for Inter-organizational Workflow. In: SACMAT 2001: Proc. of ACM Symp. on Access Control Models & Tech., pp. 66–74 (2001)
Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-based Access Control. ACM Trans. on Info. and Sys. Sec. 4(3), 224–274 (2001)
Herzberg, A., Mass, Y., Michaeli, J., Ravid, Y., Naor, D.: Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers. In: SP 2000: Proc. of the IEEE Symp. on Security and Privacy, pp. 2–14 (2000)
Shands, D., Yee, R., Jacobs, J., Sebes, E.J.: Secure Virtual Enclaves: Supporting Coalition use of Distributed Application Technologies. ACM Trans. Inf. Syst. Secur. 4(2), 103–133 (2001)
PRPQ: (OpenCA PKI Project)
Cohen, E., Thomas, R.K., Winsborough, W., Shands, D.: Models for coalition-based access control (CBAC). In: SACMAT 2002: Proc. of ACM Symp. on Access Control Models & Tech., pp. 97–106 (2002)
Chadwick, D., Dimitrakos, T., Dam, K.K.V., Randal, D.M., Matthews, B., Otenko, A.: Multilayer privilege management for dynamic collaborative scientific communities. In: Workshop on Grid Security Practice and Experience, Oxford, pp. II: 7–14 (2004)
Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A Community Authorization Service for Group Collaboration. In: POLICY 2002: Proc. of the 3rd International Workshop on Policies for Distributed Systems and Networks, pp. 50–59 (2002)
Housley, R., Polk, T., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280, IETF (2002)
Clarke, D., Elien, J.E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.: Certificate Chain Discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)
Denker, G., Millen, J., Miyake, Y.: Cross-Domain Access Control via PKI. In: POLICY 2002: Proc. of the 3rd International Workshop on Policies for Distributed Systems and Networks, pp. 202–205 (2002)
Fisher, J.L.: Side-Effects of Cross-Certification. In: 4th PKI R&D Workshop (2005), http://middleware.internet2.edu/pki05/proceedings/fisher-cross_cert.pdf
Ford, W., Baum, M.S.: Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption, 2nd edn. Prentice Hall, Englewood Cliffs (2002)
Gasti, P., Patil, V.: Interdomain Access Control (2006), http://www.disi.unige.it/person/GastiP/publications/interac/
Harrington, A., Jensen, C.: Cryptographic Access Control in a Distributed File System. In: SACMAT 2003: Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 158–165. ACM Press, New York (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Patil, V., Gasti, P., Mancini, L., Chiola, G. (2010). Resource Management with X.509 Inter-domain Authorization Certificates (InterAC). In: Martinelli, F., Preneel, B. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2009. Lecture Notes in Computer Science, vol 6391. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16441-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-16441-5_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16440-8
Online ISBN: 978-3-642-16441-5
eBook Packages: Computer ScienceComputer Science (R0)