A Logic-based Knowledge Representation for Authorization with Delegation


    We introduce Delegation Logic (DL), a logic-based knowledge representation (i.e., language) that deals with {authorization} in large-scale, open, distributed systems. Of central importance in any
    system for deciding whether requests should be authorized in such a system are {delegation} of authority, {negation} of authority, and {conflicts} between authorities. DL's approach to these issues and to the interplay among them borrows from previous work on delegation and trust management in the computer-security literature and previous work on negation and conflict handling in the logic-programming and non-monotonic reasoning literature, but it departs from previous work
    in some crucial ways. In this introductory paper, we present the syntax and semantics of DL and explain our novel design choices. This first paper focuses on delegation, including explicit treatment of delegation depth and delegation to complex principals; a forthcoming companion paper focuses on negation.

    Compared to previous logic-based approaches to authorization, DL provides a novel combination of features: it is based on logic programs, expresses delegation depth explicitly, and supports a wide
    variety of complex principals (including but not limited to k-out-of-n thresholds). Compared to previous approaches to trust management, DL provides another novel feature: a concept of proof-of-compliance that is not entirely ad-hoc and that is based on model-theoretic semantics
    (just as usual logic programs have a model-theoretic semantics). DL's approach is also novel in that it combines the above features with smooth extensibility to non-monotonicity, negation, and prioritized
    conflict handling. This extensibility is accomplished by building on the well-understood foundation of DL's logic-program knowledge representation.

    Note: An extended abstract version of this paper appeared in the Proceedings of the 12th IEEE Computer Security Foundations Workshop, June 1999.

    Keywords: Authorization, delegation, trust management, security policy, non-monotonicity, conflict handling, knowledge representation, logic programs.

By: Ninghui Li, Benjamin N. Grosof, Joan Feigenbaum

Published in: RC21492 in 1999

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

RC21492.pdf


Questions about this service can be mailed to reports@us.ibm.com .