home
projects
people
papers
awards
seminars
visitor information
internal
 
Computer Science Department
U C Davis
Comments
Contact Security Lab
SECURITY LABORATORY SEMINAR
December 9, 1998
1131 ENG II
1:00 ²2:00

Delegation Certificates
Presented by Tuomas Aura (Tuomas.aura@hut.fi)

Presentation Overhead Transparencies

Access Control for the Internet ² Current Solutions
PGP, SSL, SSH, KERBEROS, X.SO9

  • Name Certificates, Distinguished Names
  • ACLA
  • Certralized or Hierarchical

    • CAA, TTPA, Domains
    =Trusted Authorities
  • TCB, Reference Monitor
But Reality on the Net:
  • No Widely Trusted Authorities
  • No Hierarchical Organization
  • No TCB
  • No Names
  • Lots of Local Attempts, though!


How to Avoid Centralization

  • Distribute Access Rights-

    • Forget Identity Authentication
  • Get rid of Global Names

    • Use Public Keys or Local Names Instead
  • Give Credentials to Clients

    • Donžt Maintain ACLs.
  • Let everyone be an equal authority over the resources they own.
  • Support Local Trust Relationships ² Donžt mandate any.

    • You also can be an authority for those who choose to trust you or depend on you for services.
  • Stop dreaming about global security. Policies defined by a "security officer."
  • Provide mechanisms for specifying exactly the amount and duration of trust.
Key-Oriented: Public Keys ² Not Names

ACA That Binds Keys to Names is Omnipotent!
 
 

Mechanism: Delegation Certificates

Bob keeps the ceertificate and attaches it to the request

  • No Central Authorities
  • No ACL
  • No Names
  • No CA, No Name Certificates
Details of a Certificate

SKISSUER (During the validity period P, if I have any of the rights R, I give them also to KSUBJECT.)
 
 

A Chain of Certificates

Rights given by the Chain = Intersection

Validity Period of the Chain = Intersection

Note: Certificates may be created in any order.

Expired ones can be replaced

S Does not know who own KeyZ or Key3.

Confinement?

Alice does not want Bob to spread the rights to Charles

No TCB or Reference Monitor is watching Bob.

  • Copy Files to Charlie
  • Give KC to Charlie
  • Set up a Proxy Server.
Alice is out of Luck

Letžs allow redistribution as a rule.

  • Bob can delegate to his assistant or laptop.
  • Bob can say exactly which part of the right he gives to them and for what period.
Only if Bob cannot leak the rights, then it makes sense to forbit redelegation.
 

So Is It Real?

  • IETF SPK1 Working Group (Ellison et al.)
  • Implementations: MIT, INTEL, SSM, ...
  • Policymaker (Blaze et al.) SDSI (Rivest et al.)
  • Me? Ižm just working on the theory.