Twenty years of coordination technologies: State-of-the-art and perspectives

Since complexity of inter- and intra-systems interactions is steadily increasing in modern application scenarios (e.g., the IoT), coordination technologies are required to take a crucial step towards maturity. In this paper we look back at the history of the COORDINATION conference in order to shed light on the current status of the coordination technologies there proposed throughout the years, in an attempt to understand success stories, limitations, and possibly reveal the gap between actual technologies, theoretical models, and novel application needs

Regulated delegation in distributed systems

Certificate-based delegation (CBD) is a prominent element of distributed access control, providing it with flexibility and scalability. But despite its elegance and effectiveness, CBD has inherent limitations that restrict its applicability. These limitations include, among others: lack of support for non-monotonic policies, such as separation of duties; the inability to support the transfer of privileges, where the delegator loses the privilege it delegates; and the lack of support for quotas, i.e., restrictions on the number of time a given privilege can be exercised. This paper describes an approach to the distributed delegation, which shares much of the flexibility and scalability of CBD, but is not encumbered by its limitations. This approach is based on the decentralized control mechanism called law-governed interaction (LGI), which is used to regulate the process of delegation itself.

On the Role of Roles: from Role-Based to Role-Sensitive Access Control

This paper maintains that for an access-control mechanism to support a wide range of policies, it is best to dispense with any built-in semantics for roles in the mechanism itself, leaving such semantics to be defined by particular policies

Establishing enterprise communities

One of the most important challenges facing the builders of enterprise software is the reliable implementation of the policies that are supposed to govern the various communities operating within an enterprise. Such policies are widely considered fundamental to enterprise modeling, and their specification were the subject of several recent investigations. But specification of the policy that is to govern a given community is only the first step towards its implementation--the second, and more critical step is to ensure that all members of the community actually conform to the specified policy. The conventional approach to the implementation of apolicy is to build it into all members of the community subject to it. But if the community in question is large and het-erogeneous, and if its members are dispersed throughout a distributed enterprise, then such "manual" implementation of its policy would be too laborious and error-prone to be practical. Moreover, a policy implemented in this manualmanner would be very unstable with respect to the evolution of the system, because it can be violated by a change in thecode of any member of community subject to it. It is our thesis that the only reliable way for ensuring thatan heterogeneous distributed community of software modules and people conforms to a given policy is for this policyto be strictly enforced. A mechanism for establishing enterprise communities by formally specifying their policies, andby having these policies enforced is the subject of this paper

Formal treatment of certificate revocation under communal access control

The conventional approach to distributed access-control (AC) tends to be server-centric. Under this approach, each server establishes its own policy regarding the use of its resources and services by its clients. The choice of this policy, and its implementation, are generally considered the prerogative of each individual server. This approach to access-control may be appropriate for many current client-server applications, where the server is an autonomous agent, in complete charge of its resources. But it is not suitable for the growing class of applications where a group of servers, and sometimes their clients, belong to a single enterprise, and are subject to the enterprisewide policy governing them all. One may not be able to entrust such an enterprise-wide policy to the individual servers, for two reasons: First, it is hard to ensure that an heterogeneous set of servers implement exactly the same policy. Second, as we will demonstrate, an AC policy can have aspects that cannot, in principle, be implemented by servers alone. As argued in a previous paper [11], what is needed in this situation is a concept of communal policy that governs the interactionbetween the members of a distributedcommunity of agents involved in some common activity, along with a mechanism that provides for the explicit formulation of such policies, and for their scalable enforcement. This paper focuses on the communal treatment of expiration and revocation of the digital certificates used for the authentication of the identity and roles of members of the community

A Hierarchical Policy Specification Language, and Enforcement Mechanism, for Governing Digital Enterprises

This paper is part of a research program based on the thesis that the only reliable way for ensuring that a heterogeneous distributed community of software modules and people conforms to a given policy is for this policy to be enforced. We have devised a mechanism called law-governed interaction (LGI) for this purpose. As has been demonstrated in previous publications, LGI can be used to specify a wide range of policies to govern the interactions among the members of large and heterogeneous communities of agents dispersed throughout a distributed enterprise, and to enforce such policies in a decentralized and efficient manner. enterprise is bound to be governed by a multitude of policies. Such policies are likely to be interrelated in complex ways, forming an ensemble of policies that is to govern the enterprise as a whole. As a step toward organizing such an ensemble of policies, we introduce in this paper a hierarchical inter-policy relation called superior/subordinate. This relation is intended to serve two distinct, if related, purposes. First, it is to help organize and classify a set of enterprise policies. Second, this relation is to help regulate the long term evolution of the various policies that govern an enterprise. For this purpose, each policy in the hierarchy policies subordinate to it, in some analogy to the manner in which a constitution in American jurisprudence constrains the laws subordinate to it. Broadly speaking, the hierarchical structure of the ensemble of policies that govern a given enterprise is to reflect the hierarchical structure of the enterprise itself

Law-Governed Internet Communities

We consider the problem of coordination and control of large heterogeneous groups of agents distributed over the Internet in the context of Law-Governed Interaction (LGI) [2, 5]. LGI is a mode of interaction that allows a group of distributed heterogeneous agents to interact with each other with confidence that an explicitly specified policy, called the law of the group, is complied with by everyone in the group. The original LGI model [5] supported only explicit groups, whose membership is maintained and controlled by a central server. Such a central server is necessary for applications that require each member of the group to know about the membership of the entire group. However, in the case where members do not need to know the membership of the entire group, such a central server can become an unnecessary performance bottleneck, as group size increases, as well as a single point of failure. In this paper, we present an extension to LGI allowing it to support implic..

Law-governed internet community

Abstract. We consider the problem of coordination and control of large heterogeneous groups of agents distributed over the Internet in the context of Law-Governed Interaction (LGI) [2,5]. LGI is a mode of interaction that allows a group of distributed heterogeneous agents to interact with each other with confidence that an explicitly specified policy, called the law of the group, is complied with by everyone in the group. The original LGI model [5] supported only explicit groups, whose membership is maintained and controlled by a central server. Such a central server is necessary for applications that require each member of the group to know about the membership of the entire group. However, in the case where members do not need to know the membership of the entire group, such a central server can become an unnecessary performance bottleneck, as group size increases, as well as a single point of failure. In this paper, we present an extension to LGI allowing it to support implicit groups, also called communities, which require no central control of any kind, and whose membership does not have to be regulated, and might not be completely known to anybody.