A Scalable, Seamless and Privacy-aware Access Control System based on a Federated Architecture

D.R. Lopez (Spain)




Any system intended to control access to digital resources has to fulfill four main goals: manageability (so rights can be easily defined, modified and understood by system oper ators and users), scalability (so the system can be as widely deployed as requested), protection of rights (not only on the owner's side, but also on the user's), and ease of use (making it operate as seamlessly as possible with common user practices). This paper presents how the PAPI authenti cation and authorization framework (http://papi.rediris.es/) can be applied to implement a system with the above char acteristics. PAPI intends to fully decouple authentication and authorization, linking both phases through a trust rela tionship between origin (authentication) and provider (au thorization) domains. The management of data pertain ing authentication is an issue local to the origin domain, while information providers can independently configure the provider sites to establish the access control rules for the data they offer. Assertions about user attributes are ex changed between both domains, using public key cryptog raphy to validate queries and responses.

