Abstract: The ability to access information resources across organizational boundaries is vital for today's corporate, military, and educational organizations, which must be able to quickly pool their resources to respond to opportunities and threats. Since each organization protects its resources with its local authorization policies, we need mechanisms for cross-domain authorization to achieve information sharing among multiple organizations. Unfortunately, traditional identity-based authorization approaches are impractical, because the identity of a requester is not a useful clue for authorization in a decentralized environment. Many distributed authorization schemes, therefore, consider a requester's properties (e.g., employer and physical location) to make an authorization decision and use a logic-based approach to specify authorization policies in a flexible way. Such a distributed proof system makes an authorization decision by constructing a proof with information provided by different entities in a distributed environment. In this chapter, we provide an overview of distributed proof systems for cross-domain authorization, while covering major language constructs and proof-constructing algorithms, and introduce an emerging issue of protecting confidential policies and credentials (facts) in a distributed proof system involving multiple security domains since it is unlikely that a principal in one security domain is willing to release all its local information to any principal in other domains. We finally describe our distributed proof system for cross-domain authorization in detail and show how our cryptographic protocol allows mutually untrusted principals to construct a proof in a decentralized way while preserving each principal's security policies.
Copyright © 2009 by Emerald Group Publishing Limited.