Limitations

We are aware of the following limitations of SDM, that reflect some of engineering trade-offs encountered in its design:

• SDM relies on initiators to enable delegation. If they do not, delegation will never be enabled and hence no delegation certificates will be generated. If delegation is not initially enabled, at a later stage during method execution (through delegation), a target object cannot determine the original initiator of the request. The only way to find out the original initiator would be to use a call back trace mechanism, which is not supported in SDM.

• SDM does not support any means to check whether a principal adopts mutually disjoint roles. SDM cannot ensure that roles adopted by a principal do not conflict (for example simultaneously requiring and prohibiting rights).

• Although the pull-once-push-many approach is an efficient approach, event notification does not carry any real-time guarantees due to possible network latency. Before a revocation event notification arrives to a listener, the listener might have already allowed the revoked delegation. Hence, the event notification across distributed systems in SDM is not atomic.