• DocumentCode
    1649846
  • Title

    Understanding SPKI/SDSI using first-order logic

  • Author

    Li, Ninghui ; Mitchell, John C.

  • Author_Institution
    Dept. of Comput. Sci., Stanford Univ., CA, USA
  • fYear
    2003
  • Firstpage
    89
  • Lastpage
    103
  • Abstract
    SPKI/SDSI is a language for expressing distributed access control policy, derived from SPKI and SDSI. We provide a first-order logic (FOL) semantics for SDSI, and show that it has several advantages over previous semantics. For example, the FOL semantics is easily extended to additional policy concepts and gives meaning to a larger class of access control and other policy analysis queries. We prove that the FOL semantics is equivalent to the string rewriting semantics used by SDSI designers, for all queries associated with the rewriting semantics. We also provide a FOL semantics for SPKI/SDSI. This reveals some problems. For example, the standard proof procedure in RFC 2693 is semantically incomplete. In addition, as noted before by other authors, authorization tags in SPKI/SDSI are algorithmically problematic, making a complete proof procedure unlikely. We compare SPKI/SDSI with RT1C, which is a language in the RT role-based trust-management framework that can be viewed as an extension of SDSI. The constraint feature of 1C, based on constraint datalog, provides an alternative mechanism that is expressively similar to SPKI/SDSI tags, semantically natural, and algorithmically tractable.
  • Keywords
    authorisation; logic programming; programming language semantics; programming languages; public key cryptography; SDSI; SPKI; constraint datalog; distributed access control; first-order logic; role-based trust-management language; simple distributed security infrastructure; simple distributed security infrustracture; simple public key infrustracture; string rewriting; tractable; Access control; Algorithm design and analysis; Authorization; Availability; Computer science; Computer security; Data security; Logic; Public key; Safety;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Security Foundations Workshop, 2003. Proceedings. 16th IEEE
  • ISSN
    1063-6900
  • Print_ISBN
    0-7695-1927-X
  • Type

    conf

  • DOI
    10.1109/CSFW.2003.1212707
  • Filename
    1212707