BIB-VERSION:: CS-TR-v2.0
ID:: ncstrl.dartmouthcs//TR2004-485
ENTRY:: January 15, 2004
ORGANIZATION:: Dartmouth College, Computer Science
TITLE:: Using SPKI/SDSI for Distributed Maintenance of Attribute Release Policies in  Shibboleth
TYPE:: Technical Report (paper)
REVISION:: 1
AUTHOR:: Nazareth, Sidharth
AUTHOR:: Smith, Sean
DATE:: January 2004
RETRIEVAL:: For a paper copy, email <reports@cs.dartmouth.edu>
RETRIEVAL:: For a paper copy, write to
       Technical Report Librarian
       Department of Computer Science
       Dartmouth College
       6211 Sudikoff Laboratory
       Hanover, NH 03755-3510
       USA
RETRIEVAL:: PDF at http://www.cs.dartmouth.edu/reports/TR2004-485.pdf
ABSTRACT:: 
The Shibboleth middleware from Internet2 provides a way for
users at higher-education institutions to access remote electronic
content in compliance with the inter-institutional license agreements
that govern such access.  To protect end-user privacy, Shibboleth
permits users to construct attribute release policies that control
what user credentials a given content provider can obtain.  However,
Shibboleth leaves unspecified how to construct these policies.
  To be effective, a solution needs to accommodate the typical nature of
a university: a set of decentralized fiefdoms.  This need argues for a
public-key infrastructure (PKI) approach---since public-key
cryptography does not require parties to agree on a secret beforehand,
and parties distributed throughout the institution are unlikely to
agree on anything.  However, this need also argues against the strict
hierarchical structure of traditional PKI---policy in different
fiefdoms will be decided differently, and originate within the
fiefdom, rather than from an overall root.
  This paper presents our design and prototype of a system that uses the
decentralized public-key framework of SPKI/SDSI to solve this problem.
END:: ncstrl.dartmouthcs//TR2004-485