Formal treatment of certificate revocation under communal access control

Abstract

The conventional approach to distributed access control (AC) tends to be server-centric. Under this approach, each server establishes its own policy regarding the use of its resources and services by its clients. The choice of this policy, and its implementation, are generally considered the prerogative of each individual server. This approach to access control may be appropriate for many current client-server applications, where the server is an autonomous agent, in complete charge of its resources. It is not suitable for the growing class of applications where a group of servers, and sometimes their clients, belong to a single enterprise, and are subject to the enterprise-wide policy governing them all. One may not be able to entrust such an enterprise-wide policy to the individual servers, for two reasons: first, it is hard to ensure that an heterogeneous set of servers implement exactly the same policy. Second, as demonstrate, an AC policy can have aspects that cannot, in principle, be implemented by servers alone. As argued in a previous paper (Minsky, 2000), what is needed in this situation is a concept of communal policy that governs the interaction between the members of a distributed community of agents involved in some common activity along with a mechanism that provides for the explicit formulation of such policies, and for their scalable enforcement. We focus on the communal treatment of expiration and revocation of the digital certificates used for the authentication of the identity and roles of members of the community.