Regulated delegation in distributed systems

Abstract

Certificate-based delegation (CBD) is a prominent element of distributed access control, providing it with flexibility and scalability. But despite its elegance and effectiveness, CBD has inherent limitations that restrict its applicability. These limitations include, among others: lack of support for non-monotonic policies, such as separation of duties; the inability to support the transfer of privileges, where the delegator loses the privilege it delegates; and the lack of support for quotas, i.e., restrictions on the number of time a given privilege can be exercised. This paper describes an approach to the distributed delegation, which shares much of the flexibility and scalability of CBD, but is not encumbered by its limitations. This approach is based on the decentralized control mechanism called law-governed interaction (LGI), which is used to regulate the process of delegation itself