Certificate chain discovery in SPKI/SDSI

SPKI/SDSI is a novel public-key infrastructure emphasizing naming, groups, ease-of-use, and flexible authorization. To access a protected resource, a client must present to the server a proof that the client is authorized; this proof takes the form of a “certificate chain” proving that the client�...

Full description

Saved in:
Bibliographic Details
Published inJournal of computer security Vol. 9; no. 4; pp. 285 - 322
Main Authors Clarke, Dwaine, Elien, Jean-Emile, Ellison, Carl, Fredette, Matt, Morcos, Alexander, Rivest, Ronald L.
Format Journal Article
LanguageEnglish
Published London, England SAGE Publications 01.10.2001
Subjects
authorization
SDSI
certificate chain discovery
threshold subjects
naming
local names
delegation
SPKI
certificate chain
Certificate
public-key infrastructure
PKI
Online AccessGet full text

Cover

More Information
Summary:SPKI/SDSI is a novel public-key infrastructure emphasizing naming, groups, ease-of-use, and flexible authorization. To access a protected resource, a client must present to the server a proof that the client is authorized; this proof takes the form of a “certificate chain” proving that the client's public key is in one of the groups on the resource's ACL, or that the client's public key has been delegated authority (in one or more stages) from a key in one of the groups on the resource's ACL. While finding such a chain can be nontrivial, due to the flexible naming and delegation capabilities of SPKI/SDSI certificates, we present a practical and efficient algorithm for this problem of “certificate chain discovery”. We also present a tight worst-case bound on its running time, which is polynomial in the length of its input. We also present an extension of our algorithm that is capable of handling “threshold subjects”, where several principals are required to co-sign a request to access a protected resource.
ISSN:0926-227X
1875-8924
DOI:10.3233/JCS-2001-9402