Access control, reverse access control and replication control in a world wide distributed system

In this paper we examine several access control problems that occur in an object-based distributed system that permits objects to be replicated on multiple machines. First, there is the classical access control problem, which relates to which users can execute which methods. Second, we identified a reverse access control problem, which concerns which replicas can execute which methods for authorized users. Finally, there is the issue of how updates are propagated securely from replica to replica. Our solution uses roles and preserves the scalability needed in a world-wide distributed system

RBAC on the Web by Smart Certificates

We have described in another paper how to develop and use smart certificates by extending X.509 with several sophisticated features for secure attribute services on the Web. In this paper, we describe an implementation of RBAC (Role-Based Access Control) with role hierarchies on the Web as one possible application of smart certificates. To support RBAC, we issued smart certificates - which hold the subjects' role information - and configured a Web server to use the role information in the certificate instead of identities for its access control mechanism. Since the subjects' role information is provided integrity, the Web server can trust the role information after authentication and certificate verification by SSL, and uses it for role-based access control. To maintain compatibility with existing technologies, such as SSL, we used a bundled (containing the subject's identity and role information) smart certificate in the user-pull model

RBAC on the Web by Smart Certificates* Abstract

We have described in another paper how to develop and use smart certificates by extending X.509 with several sophisticated features for secure attribute services on the Web. In this paper, we describe an implementa-tion of RBAC (Role-Based Access Control) with role hierarchies on the Web as one possible application of smart certificates. To support RBAC, we issued smart certificates- which hold the subjects ’ role information-and configured a Web server to use the role information in the certificate instead of identities for its access con-trol mechanism. Since the subjects ’ role information is provided integrity, the Web server can trust the role information after authentication and certificate verifi-cation by SSL, and uses it for role-based access control. To maintain compatibility with existing technologies, such as SSL, we used a bundled (containing the sub-ject’s identity and role information) smart certificate in the user-pull model.