Using WebDAV for Improved Certificate Revocation and Publication

Chadwick, David; Anthony, Sean W.

doi:10.1007/978-3-540-73408-6_19

Cited by 8 publications

(6 citation statements)

References 13 publications

(12 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the CVS has to pull credentials from the issuers or their repositories, then all the credentials have to be held consistently -either all with their subjects or all with their issuers, otherwise the CVS will not be able to efficiently locate them. In our implementation all credentials are held with their subjects, typically in their LDAP directory entries, or more recently, in files linked to their DNs held in WebDAV repositories [24]. As Li et al point out [17], building an authorisation credential chain is more difficult in general than building an X.509 public key certificate chain, because in the latter one merely has to follow the subject/issuer chain in a tree, whereas in the former, a DAG rather than a tree may be encountered.…”

Section: Delegation Tree Navigationmentioning

confidence: 99%

“…If any credential between the requestor's credential and the root of trust has been revoked, then the requestor's credential is considered to be invalid, and processing stops. We have also implemented a novel scheme for revoking credentials which uses the web as a finite state machine to indicate the revocation status of each credential [24]. This scheme inherently supports instant revocation and can be more efficient than using CRLs.…”

Section: Delegation Tree Navigationmentioning

confidence: 99%

See 1 more Smart Citation

Adding support to XACML for multi-domain user to user dynamic delegation of authority

Chadwick

Otenko

Nguyễn

2009

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

Tuan Anh Nguyen has a Master of Electronics andTelecommunications degree from the Hanoi University of Technology, Vietnam. He is studying for a PhD in dynamic delegation of authority at the University of Kent, under the supervision of Professor Chadwick.Abstract. We describe adding support for dynamic delegation of authority between users in multiple administrative domains, to the XACML model for authorisation decision making. Delegation of authority is enacted via the issuing of credentials from one user to another, and follows the role based access control model. We present the problems and requirements that such a delegation model demands, the policy elements that are necessary to control the delegation chains and a description of the architected solution. We propose a new conceptual entity called the Credential Validation Service (CVS) to work alongside the XACML PDP. We describe our implementation of the CVS and present performance measurements for validating delegated chains of credentials.

show abstract

Section: Delegation Tree Navigationmentioning

confidence: 99%

Section: Delegation Tree Navigationmentioning

confidence: 99%

Adding support to XACML for multi-domain user to user dynamic delegation of authority

Chadwick

Otenko

Nguyễn

2009

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…These windows provide forms for users to fill in, then the tool generates the corresponding PERMIS policy in extensible markup language (XML). Policies can be saved as pure XML in text files, or the XML can be embedded as a policy attribute in an X.509 AC 7, digitally signed with the policy author's private key (held in a PKCS#12 file (public key cryptography standards)), then stored in either a local file, Lightweight Directory Access Protocol (LDAP) directory or WebDAV 13 repository. Various helpers in the Policy Editor are capable of retrieving subject and AA names from LDAP directories, and setting times and dates in the correct format.…”

Section: Permis: a Modular Authorization Infrastructurementioning

confidence: 99%

PERMIS: a modular authorization infrastructure

Chadwick

Zhao

Otenko

et al. 2008

Concurrency and Computation

View full text Add to dashboard Cite

Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role-based authorization infrastructure along with its conceptual authorization, access control, and trust models. PERMIS has the novel concept of a credential validation service, which verifies a user's credentials prior to access control decision-making and enables the distributed management of credentials. PERMIS also supports delegation of authority; thus, credentials can be delegated between users, further decentralizing credential management. Finally, PERMIS supports history-based decision-making, which can be used to enforce such aspects as separation of duties and cumulative use of resources. Details of the design and the implementation of PERMIS are presented along with details of its integration with Globus Toolkit, Shibboleth, and GridShib. A comparison of PERMIS with other authorization and access control implementations is given, along with suggestions where future research and development are still needed.They provide facilities to manage user privileges, render access control decisions, and process the related information. Different types of policies may be supported, such as credential issuing policies, access control policies, delegation policies, and credential validation policies. These policies contain the rules and criteria that specify how user privileges (or credentials, which are digitally signed assertions made by some authority about a user's privileges) are managed and access control decisions are made. In the context of distributed Grid systems spanning multiple domains, policybased authorization systems bring a number of specific advantages such as: they can control the issuing of credentials in one domain and allow the autonomous delegation of privileges between users. They can then separately control the validation of these credentials in the resource domain, and allow each resource owner to independently say who he/she trusts to issue which credentials to whom, and which access rights these valid credentials should have. This is an important feature that most Grid systems today do not have.The authorization infrastructure that we have built is called PERMIS [1]. This paper describes the various components of the PERMIS authorization infrastructure, the conceptual models that lie behind them, and the standards that we have used. We conclude by comparing our work with that of others and by describing some of the future work that still needs to be done. The rest of this paper is structured as follows. Section 2 provides the conceptual models of our authorization infrastructure. Section 3 describes the design and implementation of PERMIS. Section 4 presents PERMIS's integration with Globus Toolkit (GT), Shibboleth, and GridShib. Section 5 compares PERMIS with other related research. Section 6 concludes and indicates our plans for the future. CONCEPTUAL MODELS The access control...

show abstract

“…The revocation resources can be located in diverse repositories. Examples of typical repositories that are used in a PKI are X.500 directories [8], LDAP directories [9], DNS servers [10], WebDAV [11], Web or FTP servers [12], or HTTP stores according to [13] specified additionally in [14] as an RFC. To notify about the location of a CRL the CRLDistributionPoint [2] extension is added to the sequence of extensions of the Notification.…”

Section: Notification About Revocation Repositoriesmentioning

confidence: 99%

Notification Services for the Server-Based Certificate Validation Protocol

Buchmann

Karatsiolis

2009

IJCNS

View full text Add to dashboard Cite

The Server-Based Certificate Validation Protocol allows PKI clients to delegate to a server the construction or validation of certification paths. The protocol's specification focuses on the communication between the server and the client and its security. It does not discuss how the servers can efficiently locate the necessary PKI resources like certificate or certificate revocation lists. In this paper we concentrate on this topic. We present a simple and effective method to facilitate locating and using various PKI resources by the servers, without modifying the protocol. We use the extension mechanism of the protocol for notifying the servers about PKI repositories, certificates, and revocations. We specify the tasks of the servers and certificate issuers and define the messages that are exchanged between them. A proof of concept is given by implementing an SCVP server, a client, and the proposed method in Java.

show abstract

Using WebDAV for Improved Certificate Revocation and Publication

Cited by 8 publications

References 13 publications

Adding support to XACML for multi-domain user to user dynamic delegation of authority

Adding support to XACML for multi-domain user to user dynamic delegation of authority

PERMIS: a modular authorization infrastructure

Notification Services for the Server-Based Certificate Validation Protocol

Contact Info

Product

Resources

About