Back to Tuomas Aura's home page

On the Structure of Delegation Networks

Tuomas Aura
Helsinki University of Technology, FIN-02015 HUT, Finland


In new distributed, key-oriented access control systems such as SPKI, access right are delegated by a freely formed network of certificates. We formalize the concept of a delegation network and present a formal semantics for the delegation of access rights with certificates. The certificates can have multiple subjects who must jointly use the authority. Some fundamental properties of the system are proven, alternative techniques for authorization decisions are compared and their equivalence is shown rigorously. In particular, we prove that certificate reduction is a sound and complete decision technique. We also suggest a new type of threshold certificates and prove its properties.

Full paper in Postscript

  author = 	 {Tuomas Aura},
  title = 	 {On the structure of delegation networks},
  booktitle = 	 {Proc.\ 11th IEEE Computer Security Foundations Workshop},
  year =	 1998,
  pages =        "14--26",
  address =      {Rockport, MA},
  publisher =	 {IEEE Computer Society Press},
  month =	 jun