We describe a layered approach to access control for distributed and interoperable computing systems. Firstly, compound access control policies are conceptually specified, using the policy algebra proposed by Bonatti, Capitani di Vimercati and Samarati. Secondly, SPKI/SDSI is exploited to implement and to enforce a policy specification by means of credentials. Therefore, SPKI/SDSI is slightly extended, in particular in order to allow algebra expressions over local names as subjects in authorisation certificates and to deal with the subtraction operator of the algebra. Besides presenting the overall approach, the paper elaborates some details for a still powerful fraction of the policy algebra, thereby examining the correctness of the credential-based implementation.
展开▼
机译:我们描述了一种用于分布式和可互操作的计算系统的访问控制的分层方法。首先,使用Bonatti,Capitani di Vimercati和Samarati提出的策略代数在概念上指定复合访问控制策略。其次,利用SPKI / SDSI通过凭据来实施和实施策略规范。因此,SPKI / SDSI略有扩展,特别是为了允许以本地名称的代数表达式作为授权证书中的主体,并处理代数的减法运算符。除了介绍整体方法之外,本文还详细阐述了政策代数中仍然强大的部分,从而检验了基于凭证的实施的正确性。
展开▼
