A Language for Authorization and Policy Management

One of the factors slowing the practical application of PKI is that discussions have focused on the wrong problem—authentication. For many application uses, the crucial step is authorization: "Should principal X be allowed to do Y with resource Z?" What is needed is a language that can allow people to express such authorizations according to their own policies, the amount of risk they're willing to assume, and any other constraints or considerations they wish to apply. If identification of the person on the other end of the wire is necessary, then such a language can be used to say so. In fact, it should even be able to express such concepts as "Two forms of identification, please."

Our research would be focused on the language as a language. It is not about an authorization API. Stages in the research agenda would include (although not necessarily in this order):

a)

 

Acquire Prolog interpreter with source code (already have three). Probably want to pare it down to basics. Note that Prolog is used to investigate key issues, but approaches based on XML are investigated in parallel (see steps h, i, and j).

b)

 

Experiment with Prolog statements to realize various types of authorization. This would probably use the list of authorization scenarios from the Condor project and whatever else brainstorming could produce. Actual cryptographic keys need only be symbolic.

c)

Study above to see which statements can be stored where (client, server, or directory).

d)

Consider ramifications of inclusion of "negative" statements; i.e. revocation of privileges already issued.

e)

Add cryptographic primitives to Prolog system. Code will probably come from OpenSSL library or Peter Guttman's cryptlib. Try it out with actual keys.

f)

Develop ASN.1 so that authorization statements can be included in X509 certificate extensions. Develop code to actually manufacture such X509 certificates.

g) Imbed Prolog system in an Apache module; try it out.

h)

Look at how authorization statements can be represented in XML. Collaboration with Amir Herzberg, W3C, and Keynote folks here.

i)

 

See if interpretation of XML authorization statements can be done with XSLT and/or other XML-enabled tools.
j) Look at how XML editors would work to prepare authorization statements.

Rough timeline:

Dates
Tasks to be completed
Sept. - Nov. 2000 Step a)
Dec. 2000 - Feb. 2001 Step h)
Mar. 2001 - May 2001 Steps b) and i)
June. 2001 - Aug. 2001 Steps c) and j)
Sept. 2001 - Nov. 2001 Step d)
Dec. 2000 - Feb. 2001 Step e)
Mar. 2001 - May 2001 Step f)
June. 2001 - Aug. 2001 Step g)