Abstract:
We address the problem of authorization in large-scale, open, distributed systems. Authorization decisions are needed in electronic commerce, mobile-code execution, remote resource sharing, privacy protection, and many other applications. We adopt the trust-management approach, in which "authorization" is viewed as a proof-of-compliance problem: Does a set of credentials prove that a request complies with a policy?
We develop a logic-based language, called Delegation Logic (DL), to represent policies, credentials, and requests in distributed authorization. In this paper, we describe D1LP, the monotonic version of DL. D1LP extends the logic-programming (LP) language Datalog with expressive delegation constructs that feature delegation depth and a wide variety of complex principals (including, but not limited to, k-out-of-n thresholds). Our approach to defining and implementing D1LP is based on tractably compiling D1LP programs into ordinary logic programs (OLP's). This compilation approach enables D1LP to be implemented modularly on top of existing technologies for OLP, e.g., Prolog.
As a trust-management language, D1LP provides a concept of proof-of-compliance that is founded on well-understood principles of logic programming and knowledge representation. D1LP also provides a logical framework for studying delegation.
Reference:
ACM Transaction on Information and System Security (TISSEC),
Feburary 2003. To appear.
Paper: PDF.
BibTex Data:
@Article{LGF03,
author = "Ninghui Li and Benjamin N. Grosof and Joan Feigenbaum",
title = "{Delegation Logic}: A Logic-based Approach to Distributed Authorization",
journal = "ACM Transaction on Information and System Security (TISSEC)",
month = feb,
year = "2003",
note = "To appear",
}