Check out the new USENIX Web site. next up previous
Next: Performance Up: Discussion Previous: Trusted Computing Base

Revocation

Disconnected operation is common in our system and revocation of access rights is consequently a concern. Effective revocation of access rights in distributed systems is generally considered a hard problem to solve [9], and lack of connectivity makes the problem even more difficult. This places limits on when revocation can be performed. In order to revoke a certificate there are essentially two approaches: either to

1.
limit the time frame in which certificate is valid,
2.
let the certificate be valid only once.
Both approaches have their merits and disadvantages [4]. FR provides offline delegation and it supports both mechanisms. To ensure that a certificate is used only once, they are stored until they expire. This policy facilitates that certificates have ``once-only'' semantics (see [4]). Users can not override this policy, but if there is a need to grant another user access on a more permanent basis, Access Control Lists (ACL) can be implemented. A discussion of ACLs in FR is outside the scope of this article.

Timestamps are used as an additional source of information for revocation purposes. Since individual users specify access policies, the correctness of the time stamp encoded into each delegation certificate depends entirely on this user's ability to determine what the current time is. However, timestamps are only used to recognize and refuse old certificates. The use of time to discard once-only delegation certificates is not entirely without risks (for a discussion, see, for example, [3]).


next up previous
Next: Performance Up: Discussion Previous: Trusted Computing Base
Tage Stabell-Kulo
1999-07-06