Moritz Y. Becker, Jason F. Mackay, and Blair Dillaway
24 February 2009
The problem of authorization in large-scale decentralized systems has been addressed by a number of logic-based policy languages utilizing delegation of authority and distributed security credentials. A central task in this context is that of gathering a set of credentials for a given access request. Previous approaches have focused on methods in which credentials are pulled on-demand from credential providers during authorization. These methods may result in multiple, and potentially futile, costly queries to the same remote credential provider, and require that providers be known and available to the resource guard at access time. A novel decentralized protocol is presented in this paper to address these shortcomings. The approach uses logical abduction to statically and locally compute a specification of credentials needed to satisfy a given query against a policy. Based on such a specification, credentials are then gathered using a single-pass protocol that queries each provider only once and does not involve any communication with the resource guard. This approach decouples authorization from credential gathering, reduces the number of messages sent between participants, and allows for communication topologies in which some credential providers are not known or available to the resource guard at authorization time.
© 2009 Microsoft Corporation. All rights reserved.