Toward An On-demand Restricted Delegation Mechanism for Grids
2006 (English)In: 2006 7TH IEEE/ACM INTERNATIONAL CONFERENCE ON GRID COMPUTING, New York: IEEE , 2006, 152-159 p.Conference paper (Refereed)
Grids are intended to enable cross-organizationalinteractions which makes Grid security a challenging and nontrivialissue. In Grids, delegation is a key facility that canbe used to authenticate and authorize requests on behalf ofdisconnected users. In current Grid systems there is a tradeoffbetween flexibility and security in the context of delegation.Applications must choose between limited or full delegation: onone hand, delegating a restricted set of rights reduces exposure toattack but also limits the flexibility/dynamism of the application;on the other hand, delegating all rights provides maximumflexibility but increases exposure. In this paper, we propose anon-demand restricted delegation mechanism, aimed at addressingthe shortcomings of current delegation mechanisms by providingrestricted delegation in a flexible fashion as needed for Grid applications.This mechanism provides an ontology-based solutionfor tackling one the most challenging issues in security systems,which is the principle of least privileges. It utilizes a callbackmechanism, which allows on-demand provisioning of delegatedcredentials in addition to observing, screening, and auditingdelegated rights at runtime. This mechanism provides supportfor generating delegation credentials with a very limited andwell-defined range of capabilities or policies, where a delegatoris able to grant a delegatee a set of restricted and limited rights,implicitly or explicitly.
Place, publisher, year, edition, pages
New York: IEEE , 2006. 152-159 p.
IdentifiersURN: urn:nbn:se:kth:diva-9931DOI: 10.1109/ICGRID.2006.311010ISI: 000245376900020ScopusID: 2-s2.0-46149103695ISBN: 978-1-4244-0343-1OAI: oai:DiVA.org:kth-9931DiVA: diva2:159668
7th IEEE/ACM International Conference on Grid Computing. Barcelona, SPAIN. SEP 28-29, 2006
QC 201006212009-02-092009-02-092011-10-06Bibliographically approved