DKAL is an expressive declarative authorization language based on existential fixed-point logic. It is considerably more expressive than existing languages in the literature, and yet feasible. Our query algorithm is within the same bounds of computational complexity as e.g. that of SecPAL. DKAL's distinguishing features include explicit handling of knowledge and information, targeted communication that is beneficial with respect to confidentiality, security, and liability protection, the flexible use and nesting of functions, which in particular allows principals to quote (to other principals) whatever has been said to them, flexible built-in rules for expressing and delegating trust, information order that contributes to succinctness.

PDF file

Details