Jon Howell
David Kotz
Dartmouth College
Restricted delegation is not based on ACLs. Instead, every object is completely controlled by some principal (in the diagram, the system administrator Merlin). That principal can act as an administrator of the resource, sharing it (or restricted access to it) with a user principal (Alice). Alice can treat her restricted access to the resource as a complete (but ``smaller'') resource, and turn around and similarly act as the administrator in another sharing relationship with a third principal (Bob). In each sharing relationship, the administrator (the principal sharing the resource) can restrict how much access the recipient receives.
With this simple tool, many difficult problems dissolve into simple expressions of restricted permission. ACLs can be managed by distributed parties. Group membership no longer requires separate security-sensitive code to implement, only a separate user interface. Authentication and access control, even between principals separated by indirection such as proxies, firewalls, or protocol translators, are handled in a consistent and simple fashion. Time limits on delegations are easily expressed in the same framework. The result is a trusted computing base that is not only smaller and easier to verify, but more flexible.
To give a logic meaning, it is backed by a formal semantics that provides a mathematical model. The formal semantics provides intuitive justification for the logic, and the logic (or a decision procedure derived from it) is used to build a tractable implementation. The semantics helps us specify precisely what the instruments of a protocol, such as statements and certificates, mean. It helps us understand what the decision procedure is telling us. A semantics enhances our ability to communicate, and hence understand, what promises a security model can make.
Conjuncts (principals that represent two or more other principals in agreement) are first-class principals in that they may be used anywhere any other principal may be. In the upper-right diagram, the DNS server can only be modified by agreement of the CIO and the system administrator: the conjunct principal that represents their agreement speaks for the DNS server. The webmaster has obtained one restricted delegation to speak for the CIO, and another to speak for the system administrator. Together, those delegations give the webmaster control over the DNS server with respect to the intersection of the restrictions.
A quoting principal is a principal that represents one principal claiming to speak on behalf of another. In the lower-right diagram, both Alice and Bob have logged on to a host computer, each by giving the host computer permission to speak for them only when explicitly quoting them (upper arrows). Without quoting, the host would speak directly for both Alice and Bob. Then if Alice asked the host to read Bob's files, the host would have to check that permission itself (rather than relying on the Home Directories server), lest the server conclude ``yes, host speaks for Bob, so it is okay to read the file.'' Therefore quoting makes it easier to build correctly multiplexed servers (such as the host) by keeping them out of the trusted computing base.
A technical report is available at: http://www.cs.dartmouth.edu/~jonh/research/delegation/